A brute force attack is a trial-and-error method used to guess passwords, encryption keys or other credentials by systematically trying every possible combination until the correct one is found. While computationally intensive, modern hardware and GPU acceleration make it a genuine threat against weak or short passwords.
Types of Brute Force Attacks
- Simple brute force — Tries every possible character combination. Effective only for short passwords.
- Dictionary attack — Uses a list of common words, phrases and previously leaked passwords. Much faster than pure brute force.
- Credential stuffing — Uses username/password combinations leaked from other breaches to try on other services.
- Rainbow table attack — Uses precomputed hash-to-password mappings to crack hashed passwords rapidly.
- Reverse brute force — Uses one common password (e.g. "Password1") against many usernames — avoids account lockout.
How Long Does It Take?
A 6-character lowercase password can be cracked in seconds. A 12-character password with mixed case, numbers and symbols would take millions of years at current computing speeds — highlighting why password length and complexity matter enormously.
Defences
- Account lockout — Lock accounts after a set number of failed attempts.
- Rate limiting — Slow down login attempts from the same IP.
- CAPTCHA — Requires human interaction to prevent automated attempts.
- Two-factor authentication — Even a correct password is useless without the second factor.
- Long, complex passwords — Use a password manager to generate 16+ character random passwords.
- Password hashing — Store passwords as salted hashes (bcrypt, Argon2) to slow offline cracking.