What is a brute force attack?
They're not elegant, but they are effective
There are thousands of ways for hackers to break into your system – but you're more likely to run into some than others. The average person isn't going to be the victim of a complex multi-stage hacking attack. Instead, if someone's gotten into your email account, it's probably thanks to a brute force attack.
Brute force attacks are a tried and tested method for cracking passwords and gaining unauthorized access to systems. If it doesn't sound particularly sophisticated, well, it's not – but it works well with weak passwords.
So, it's a good idea to familiarize yourself with how brute force attacks work and how to defend against them effectively. I'll cover what brute force attacks are and the different types of attacks, and I'll provide some tips for securing your accounts.
What is a brute force attack?
A brute force attack is a hacking method that involves systematically guessing combinations of characters to gain access to a password-protected system.
Unlike more sophisticated forms of cyberattacks, brute force attacks do not require much technical know-how and instead rely on time and scale.
Most of the time, the difference between a successful and unsuccessful brute force attack is the sheer computing power needed to test all possible combinations.
Brute force attacks work by testing every possible combination of input to eventually "crack" the correct one.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The principle is straightforward, but let's look at an example.
A four-digit PIN has 10,000 possible combinations (from 0000 to 9999). While trying each combination manually is impractical, setting up an automated tool to try each combination, in turn, means that, given enough time, it's a certainty that it will end up guessing the right answer.
Brute force attacks are far from rare. They're ideal for catching low-hanging fruit when cybercriminals are attempting to break into personal accounts, corporate systems, or even critical infrastructure.
Once a hacker succeeds in a brute force attack, they can potentially steal sensitive data, inject malware, or even commit identity fraud. With access to passwords, an attacker could move laterally within a network, too, gaining control over even more secure systems.
A brute force attack can be carried out on any system that accepts user input, including account logins, encrypted files, and even remote access points. While the most common target is passwords, the method can be applied to any form of authentication, including API keys, cryptographic hashes, and PINs.
Method to the mathematics
All brute force attacks are basically a maths problem – so let's look at the mathematics behind password strength. A four-digit passcode, as mentioned earlier, has a maximum of 10,000 unique combinations. Each character can be a digit from 0 to 9, and there are four digits to enter.
To work out the total number of combinations, you take the possible characters (10) and raise it to the power of the length of the passcode (4). Four to the power of ten, that's 10,000. If you tried one password a second, it'd only take about three hours.
If a password includes both lowercase and uppercase letters (26 characters each) and numbers (10 characters), the search space expands massively. For an 8-character password, the number of possible combinations would be 62^8, or over 218 trillion. At one try a second, that's millions of years.
As the search space grows larger, brute force attacks become more time-consuming and computationally expensive. This is why strong passwords work. The longer a password is and the greater variety of characters it can include, the more work it takes to actually break it.
A strong password is your first and best defense against hackers – so check out our guide to the biggest password mistakes.
This is also why one of the key defenses against brute force attacks is implementing timeouts after several failed login attempts. Yes, it's annoying when you have to try your password again after a few seconds when you've forgotten it, but it drastically increases the time required to carry out an attack.
For instance, introducing a 5-second delay after every three incorrect attempts can multiply the time it takes to guess a password by several hours, days, or even years, depending on how big the total search space is.
Web-based brute force attacks are pretty slow because of these protections. However, brute force attacks can also occur offline. This is where an attacker steals a hashed version of a password, usually by breaking into a server, and attempts to crack it locally. In such cases, there are no system-imposed timeouts, and the attacker is limited only by their computational power. This makes offline brute force attacks more dangerous since they remove a critical layer of defense.
Types of brute force attacks
Given the huge number of possible combinations involved in brute force attacks, cybercriminals have developed variations to optimize the process.
Each brute force hacking method has its own specific approach – but they all aim to save time while systematically testing passwords.
Credential stuffing
Credential stuffing involves using already-known username and password pairs from previous data breaches.
The attacker doesn't have to guess the credentials. Instead, they "stuff" known credentials into the login page of a target website, hoping their target has reused passwords across multiple platforms.
The "brute force" part comes from the fact that the attacker doesn't know which sites the target has reused their credentials across. Instead, they're guessing that, for example, someone who's used a particular set of credentials on Gmail is also going to reuse those across Instagram, Facebook, and so on.
Dictionary attack
A dictionary attack is a variation of brute force attacks where the hacker uses a precompiled list of potential passwords.
These lists often include the most common passwords or passwords leaked from previous breaches. The hacker systematically tests each password in the list until they find the correct one.
Dictionary attacks are essentially a refinement of brute force attacks that save time by trying the passwords that are statistically most likely to work first.
Reverse brute force attack
In a reverse brute force attack, also known as "password spraying", the hacker starts with a commonly used password (e.g., "123456" or "password") and tries it against multiple usernames.
This approach is particularly effective in large organizations where some services may still use a default password, or where password policies are only loosely enforced.
Hybrid attack
A hybrid attack combines elements of brute force and dictionary attacks. The attacker begins with a dictionary of commonly used passwords and then mutates them by making small variations – like replacing letters with numbers or adding symbols.
For example, "password" could become "P@ssw0rd" or "Passw0rd1."
This type of attack is often more targeted, focusing on users where the hacker already has some sort of intelligence about the type of passwords they’re likely to use.
How to prevent brute force attacks
It's hard to prevent brute force attacks entirely – but maintaining good password practices makes it much harder for them to succeed.
Here are my top tips to give your accounts a security boost.
- Create complex passwords: complex passwords are your first line of defense against brute force attacks. By using a mix of uppercase and lowercase letters, numbers, and special characters, you increase the size of the search space that an attacker must navigate.
- Avoid popular passwords: never use simple passwords. These are the first passwords that hackers will try in a brute force or dictionary attack. Avoid using easily guessable personal information, such as family member names, sports teams, or pet names, in your passwords, too, as attackers may use publicly available information to aid their guesses.
- Don't reuse passwords: password reuse is a dangerous habit. If an attacker gains access to one of your accounts, they could use the same password to log in to your other accounts. Using unique passwords for every account ensures that even if one account is compromised, your other accounts remain secure.
- Change passwords regularly: rotating your passwords regularly is an essential security measure. Even if an attacker steals a password, changing it frequently can limit the window of time in which it remains useful.
- Use a password manager: today's best password managers are tools designed to generate, store, and manage strong, unique passwords for each of your accounts. They remove the burden of having to remember dozens of complex passwords and reduce the temptation to reuse them. Many password managers can also alert you if your credentials have been exposed to a breach.
- Enable two-factor authentication: two-factor authentication (or multi-factor authentication) adds an additional layer of security to your accounts. Even if an attacker successfully guesses your password, they would still need access to a second form of authentication, such as a one-time code sent to your phone, in order to gain access. This effectively neutralizes brute force attacks.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.