Introducing Brute Force Attack

Back to Blog

Introducing Brute Force Attack

What is Brute Force Attack?

A brute force attack or brute force cracking is the cyber attack equivalent of trying every key on your key ring, and unfortunately finding the right one.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force cracking in progress is the best counter: once attackers have access to the network, they are much harder to catch.

Types of Brute Force Attacks

The most common brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries to crack them using them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These types of attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers prepared within the last few years can brute force crack an 8-character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute-force decrypt a weak encryption hash in a month. Such types of brute force attacks are known as an exhaustive key search, where the computer system tries every possible combination of every possible character to find the right combination of passwords.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data violations to try to break into different systems.

The reverse brute-force attack uses a general password like “password,” and subsequently tries to brute-force a username to go with that password. Since “password” is one of the most common passwords in 2017, this technique is more successful than you might think.

Motives Behind Attacks

Brute force attacks occur in the very early stages of the cyber kill chain, mostly during the reconnaissance and infiltration stages. Hackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entered the network, hackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Hackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but these are not linked to other pages. A brute force attack tests different addresses to see if they return a valid web page, and will find out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax or a web page that contains a list of usernames and passwords exposed to the world.

There is small finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for the – result.

How to Defend Against Brute Force Attacks?

Brute force attacks take time to run. Some attacks can take weeks or a few months to provide anything useful. Most of the stand against these attacks involves increasing the time required for success beyond what is technically possible, but that is not the only defense.

  • Increase password length: Many more characters equal more time to brute force crack.
  • Increase password complexity: Many more options for each character also increase the time to brute force crack.
  • Limit login attempts: Brute force attacks increment a counter of multiple failed login attempts on most directory services – a good security against brute force attacks is to lock out users after some failed attempts, thus nullifying a brute force attack in progress.
  • Implement Captcha: Captcha is one of the common systems to verify a human is a human on websites and can stop brute force attacks in progress.
  • Use multi-factor authentication: Multiple-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success.

The proactive way to stop brute force attacks starts with monitoring the systems. Various monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We have got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack underway), threat models that detect potential credential stuffing, and more – all designed to find and prevent brute force attacks before the attack explodes.


It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are uncrackable. Once you find and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Share this post

Back to Blog