What Is a Brute Force Attack: Methods, Tools, and How to Stop Them
An encyclopedic guide to brute force attacks — the different types from simple to credential stuffing, the tools attackers use, and the technical controls that make brute force attacks impractical.
What Is a Brute Force Attack?
A brute force attack is a method of gaining unauthorized access to a system by systematically trying every possible password, encryption key, or other authentication secret until the correct one is found. The term derives from the use of computational power ("brute force") rather than exploiting a specific vulnerability in the authentication protocol. Brute force attacks require no knowledge of the correct password — only the ability to make authentication attempts and the time to try enough of them.
Despite appearing rudimentary, brute force attacks remain highly effective and are among the most common attack vectors seen in real-world breaches. Verizon's 2023 Data Breach Investigations Report found that stolen credentials — often obtained via brute force or credential stuffing — were the primary method used in 49% of breaches. The attack is practical against many real-world targets because users persist in choosing weak, predictable passwords despite decades of security education.
Types of Brute Force Attacks
| Attack Type | Description | Best Use Case |
|---|---|---|
| Simple brute force | Exhaustively tries every possible character combination from the shortest to the longest; guaranteed to succeed eventually | Short or simple passwords; offline hash cracking |
| Dictionary attack | Tries words from a precompiled list of common passwords, dictionary words, and known leaked passwords (e.g., RockYou2024 wordlist with 10 billion entries) | Passwords based on words, names, or common patterns |
| Rule-based dictionary attack | Applies transformation rules to dictionary words: leetspeak (a→@, e→3), capitalization variants, appending numbers/years (Password1, password2024!) | Passwords that pass complexity requirements but follow predictable patterns |
| Hybrid attack | Combines dictionary words with brute force character appending/prepending | Passwords like "summer2023!" or "pass1234" |
| Credential stuffing | Uses username:password pairs from previous data breaches against other services; exploits password reuse | Large-scale automated login attacks; highly efficient when credential lists are available |
| Password spraying | Tries a small set of common passwords (Password1!, Welcome1!) against a large number of accounts; avoids account lockout by staying under attempt thresholds | Corporate environments with lockout policies; Active Directory |
| Rainbow table attack | Pre-computed table mapping hashes back to plaintext; dramatically accelerates offline cracking of unsalted hashes | Offline cracking of MD5/SHA1/NTLM hashes without salts |
Attack Targets and Environments
Online Brute Force Attacks
Online attacks target live authentication endpoints: login pages, SSH and RDP remote access services, VPN portals, API endpoints, and web application login forms. Each attempt requires a network connection and server response, making online attacks rate-limited by network speed, server processing time, and defensive measures like rate limiting and lockouts. Typical tools include Hydra, Medusa, and Burp Suite's Intruder module. Online attacks generate significant log noise but are constrained by the target's defensive controls.
Offline Brute Force Attacks (Hash Cracking)
Offline attacks occur after an attacker obtains a database of password hashes (through SQL injection, data breach, or file system access). The attacker can attempt billions of hash comparisons per second locally using GPU acceleration, without any lockout mechanism or rate limiting. Modern hardware enables remarkable speeds:
- MD5 (unsalted): ~100 billion guesses per second on a consumer GPU cluster
- SHA-1 (unsalted): ~50 billion guesses per second
- bcrypt (cost factor 12): ~1,500 guesses per second — designed to be slow
- scrypt/Argon2: Even slower; resistant to GPU acceleration due to memory-hardness
The tool Hashcat supports over 300 hash types and runs on NVIDIA GPUs using CUDA. Combined with comprehensive wordlists and rule sets, it can crack a significant percentage of real-world password databases in hours to days, depending on the hashing algorithm used.
The Mathematics of Brute Force
The theoretical time to brute force a password depends on the character set size and password length. The search space is: Character_Set_Size^Password_Length. For a password using lowercase letters, uppercase letters, digits, and 32 special characters (96 printable ASCII characters):
- 8 characters: 96^8 = ~7.2 quadrillion combinations. At 100 billion/second (MD5): ~72 seconds
- 10 characters: 96^10 = ~66 quintillion combinations. At 100 billion/second: ~7.6 days
- 12 characters: 96^12 = ~612 sextillion combinations. At 100 billion/second: ~194 years
- 20 characters (passphrase): Effectively impossible to brute force in any reasonable timeframe
These numbers explain why NIST SP 800-63B (2017) updated password guidance to focus on length (minimum 8 characters, encourage passphrases up to 64 characters) rather than mandatory complexity rules, which drive users toward predictable substitution patterns.
Tools Used by Attackers
- Hashcat: Industry-standard GPU-accelerated password cracker; supports 300+ hash types; runs on Windows, Linux, macOS
- John the Ripper: Classic open-source password cracker; supports CPU and GPU modes; excellent for diverse hash types on Unix/Linux systems
- Hydra/THC-Hydra: Online brute force tool supporting 50+ protocols (SSH, FTP, HTTP, RDP, SMB, SMTP); parallelized attacks
- Medusa: Similar to Hydra; modular design; focused on speed and parallelism
- CeWL: Custom wordlist generator that scrapes target websites for relevant terms (company names, product names, employee names) to create targeted dictionaries
Defense Strategies
| Defense | Mechanism | What It Addresses |
|---|---|---|
| Multi-factor authentication (MFA) | Requires second factor (TOTP, hardware key); even correct password alone is insufficient | Both online and offline attacks; most effective single countermeasure |
| Account lockout / progressive delays | Lock account after N failed attempts, or exponentially increase delay between attempts | Online brute force; password spraying can bypass per-account lockout |
| Password length requirements | Enforce minimum 12 characters; encourage passphrases; remove maximum length restrictions | Exponentially increases search space for both online and offline attacks |
| Strong password hashing (bcrypt, Argon2, scrypt) | Memory-hard, deliberately slow hashing algorithms make offline cracking computationally expensive | Offline hash cracking after breach |
| Salted hashes | Unique random salt per password appended before hashing; defeats rainbow table attacks; ensures identical passwords hash differently | Rainbow table attacks; precomputed hash attacks |
| CAPTCHA and bot detection | Challenge-response mechanisms that distinguish humans from bots; rate limiting by IP, ASN, or behavioral fingerprint | Automated online brute force and credential stuffing |
| HIBP integration (Have I Been Pwned) | Block registration or use of passwords found in known breach databases; NIST 800-63B recommends this | Dictionary attacks using breach wordlists; credential reuse |
| Breach monitoring and forced resets | Monitor for credentials appearing in breach databases; force password changes proactively | Credential stuffing using stolen pairs |
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read