Home / Definitions / Brute Force Attack

Brute Force Attack

Sam Ingalls
Last Updated December 29, 2021 5:17 pm
Two hooded figures look at screens as they attempt to guess a user's login details via a brute force attack.

A brute force attack is a frequently used cryptographic method where threat actors rely on computing power to estimate potential passwords through a combination of web service and user account information. The length and password requirements for a software account provider, in addition to a handful of details about a user, including username, is all a hacker needs to get to work. 

Password complexity and the level of user attention to protecting passwords directly impact how long a brute force attack can take. Users with lazy passwords are vulnerable to swift brute force attacks.

What is a Brute Force Attack?

Brute force attacks are a trial-and-error process where hackers attempt to identify potential passwords for a given user account credentials providing unauthorized access. Using cheap, powerful computing power, threat actors can test millions of possible passwords using basic personal details about the user like name, address, hometown, and advanced processing methods for estimating credentials.

A screenshot of a successful brute force attack. Provided by Imperva.
Read more: Your weak passwords can be cracked in less than a second | TechRepublic

Brute Force Attack Types

Credential StuffingTests login forms by automated injection of breached credentials
Dictionary AttacksTests potential credentials against likely dictionary words
Rainbow Table AttacksHacks the password hash value to obtain authentication
Simple BFAUses a system but little outside logic beyond guessing
Hybrid BFAUses external logic for likely password followed by testing variations
Reverse BFAUses previously obtained data to target network of users

Who is Vulnerable to Brute Force Attacks?

Vulnerability to brute force attacks involves the protective measures taken by account service providers, account users, and the sophistication of threat actors. Today, advanced threat actors are well-equipped with the social engineering skills to crack a user account, making additional security layers like multi-factor authentication (MFA) and biometric authentication crucial to enterprise services.

Also read: Top Cyber Security Threats to Organizations | CIO Insight
A graphic image from Cloudflare shows the estimated amount of time needed to hack passwords of certain lengths.

Account Service Providers: Password Requirements

Service providers, where user account information exists in an organization database, are directly involved in guarding against brute force attempts. For everything from email, banking, social media, CRM, and more, account service providers can enable password requirements that make brute force attacks exponentially more difficult. 

In addition to the number of characters, standard additional password requirements include capital letters, special characters, and numbers. Account service providers can mandate MFA and password requirements or enhance back-end security with hash salting, account lockdowns, throttling, and increased encryption.

Account Users: Inadequate Digital Hygiene

When creating an account, choosing a strong password can be an incredibly consequential decision. Beyond meeting the account service providers’ credential requirements, users must be vigilant in setting complex passwords not easily guessed by a brute force attack. 

Password managers are increasingly essential to modern businesses to prevent password fatigue and avoid brute force attacks with the multitude of applications and online services used by personnel. The best password managers include 1Password, Bitwarden, Dashlane, Keeper, LastPass, NordPass, RoboForm, and Sticky Password.

Read more: Best Password Managers & Tools for 2022 | eSecurityPlanet

Recent Coverage