A brute force attack is an automated method of guessing credentials or cryptographic keys by systematically trying every possible combination until the correct value is found. It is one of the oldest categories of cyber attack and remains effective against systems that lack rate-limiting, account lockout, or strong key derivation.
How a brute force attack works
An attacker uses software to submit credentials at high speed against an authentication endpoint, an offline password hash, or an encrypted file. Each guess is compared against the target; when a match is found, the attacker gains access. The technique trades time and computation for certainty: given enough attempts, any password of finite length will eventually be discovered.
Common variants
Simple brute force tries every character combination starting from short strings and expanding upwards. It is effective against short or low-entropy passwords but quickly becomes impractical as length increases.
Dictionary attack uses a pre-built list of likely passwords (common words, leaked credentials, names). It is far faster than simple brute force when targets reuse weak passwords.
Credential stuffing replays username and password pairs harvested from previous data breaches. Because so many users reuse credentials across services, this method is the dominant form of account takeover today.
Reverse brute force takes one common password (for example, “Summer2025!”) and tries it against many usernames. Useful against organisations that enforce a uniform password policy.
What testers look for
During a penetration test, brute force exposure is assessed against login pages, VPN gateways, API endpoints, and remote management interfaces such as SSH and RDP. Common findings include missing rate limits, generic error messages that confirm valid usernames, weak password policies, and absent multi-factor authentication. Hashed credentials recovered during a test are also subjected to offline cracking with tools such as Hashcat or John the Ripper to evaluate the strength of the password policy in practice.
Defending against brute force
Layered controls work better than any single fix. Rate-limit authentication attempts per account and per source IP. Enforce account lockout after a small number of failed attempts. Require multi-factor authentication on any account that holds risk. Set a minimum password length of at least 12 characters and screen against breached-password lists. For stored secrets, use a slow key derivation function such as bcrypt, scrypt, or Argon2 so that offline cracking remains expensive even if hashes leak.
Related terms
See also: Hashcat, John the Ripper, phishing, and social engineering.
Leave a Reply