A brute force attack is a trial-and-error method used by attackers to gain access to accounts, encrypted files, or systems by systematically trying every possible combination of passwords or keys until the correct one is found.
Types of Brute Force Attacks
| Type | Method | Speed |
|---|---|---|
| Simple brute force | Tries all character combinations | Slowest — exponential with length |
| Dictionary attack | Uses lists of common passwords and words | Fast against weak passwords |
| Credential stuffing | Replays leaked username/password pairs | Very fast — automated at scale |
| Reverse brute force | Tries one password against many usernames | Bypasses lockout on single accounts |
| Hybrid attack | Dictionary words with number/symbol variations | Moderate — effective against common patterns |
Why Password Length Matters
The time to brute force a password grows exponentially with each character added. A 6-character password using only lowercase letters has ~300 million combinations. A 12-character password using upper, lower, digits, and symbols has more than 475 quadrillion combinations — far beyond what any single attacker can try in a reasonable time.
How to Defend Against Brute Force Attacks
- Use long, random passwords (16+ characters)
- Enable account lockout after a set number of failed attempts
- Use multi-factor authentication — even a correct password is not enough
- Use CAPTCHA on login forms to block automated scripts
- Monitor for unusual login attempts from multiple IPs
- Avoid reusing passwords across services — use a password manager
Credential Stuffing: The Bigger Threat
Credential stuffing is a modern variant that does not guess passwords — it uses real passwords leaked in data breaches. Attackers buy lists of billions of leaked username/password pairs and automatically test them across hundreds of sites. If you reuse passwords, one breach can compromise all your accounts.
People Also Ask
- How long does a brute force attack take?
- It depends entirely on password strength and the attacker's hardware. A short numeric PIN can be cracked in milliseconds. A properly random 16-character password with mixed characters would take longer than the age of the universe even with dedicated hardware.
- Is brute forcing illegal?
- Yes. Attempting to gain unauthorized access to any system through brute force is illegal under computer fraud laws in most countries, including the Computer Fraud and Abuse Act (CFAA) in the US.
Related: Password entropy | Strong passwords | Breach Check