What is a brute force attack?

A brute force attack is a type of cyberattack in which hackers try to gain unauthorized access to an account or encrypted data through trial and error, attempting several login credentials or encryption keys until they find the correct password. Brute force attacks often target authentication systems such as website login pages, secure shell (SSH) servers or password-protected files. 
 

Unlike other cyberattacks, which exploit software vulnerabilities, brute force attacks leverage computing power and automation to guess passwords or keys. Basic brute force attempts use automated scripts or bots to test thousands of password combinations per minute—much like a thief trying every possible combination on a padlock until it opens.

Weak or simple passwords make the job easier, while strong ones can render this type of attack extremely time-consuming or impractical. However, more advanced brute force techniques are constantly being developed.

To illustrate the speed and scale of today's escalating cyber threats, consider that Microsoft blocks an average of 4,000 identity attacks per second. Yet attackers continue to push boundaries. Specialized password cracking rigs can achieve roughly 7.25 trillion password attempts in that same second.

And now, with the emergence of quantum computing and the need for post-quantum cryptography, brute force attacks are no longer limited by today’s hardware. Modern cryptographic methods for authentication, such as RSA encryption, rely on the computational difficulty of factoring large numbers into prime numbers.

Factoring anything beyond 2048 bits would take billions of years with current computing power. However, a sufficiently advanced quantum computer with roughly 20 million qubits could break a 2048-bit RSA key in a matter of hours.

Brute force attacks are a serious cybersecurity threat because they target the weakest link in security defenses: human-chosen passwords and poorly protected accounts.

A successful brute force attack can lead to immediate unauthorized access, allowing attackers to impersonate the user, steal sensitive data or further infiltrate a network. Additionally, unlike more complex hacks, brute force attacks require relatively little technical skill, just persistence and resources.

One of the major risks of a brute force attack is that a single compromised account can have a cascading effect. For example, if cybercriminals brute force an administrator’s credentials, they can use them to compromise other user accounts.

Even a normal user account, once accessed, might reveal personally identifiable information or serve as a stepping stone to more privileged access. Many data breaches and ransomware incidents begin with attackers using brute force to crack remote access accounts—such as Remote Desktop Protocol (RDP) or VPN logins. Once inside, attackers may deploy malware, ransomware or simply lock down the system.

Brute force attacks are also a network security concern as the volume of assault attempts can be noisy. Significant network noise can overwhelm authentication systems or act as a smokescreen for more silent cyberattacks. 

Recently, researchers observed a global brute force campaign leveraging almost 3 million unique IP addresses to target VPNs and firewalls, highlighting just how massive and distributed these attacks can become. 

Typically, a flood of failed user password attempts would tip off defenders, but attackers have ways to mask their activity. By using bots or botnets—a network of compromised computers—attackers can distribute attempts across various sources, such as social media accounts. This makes malicious login attempts blend in with normal user behavior. 

In addition to their own severity, it’s important to note that brute force attacks often go hand-in-hand with other tactics. For instance, an attacker might use phishing to obtain one account’s credentials and brute force for another. Or they might use the results of a brute force attack (stolen passwords) to conduct phishing scams or fraud elsewhere.

To understand how brute force attacks work, consider the sheer number of possible passwords an attacker may need to test. Brute force attacks operate by generating and checking credentials at high speed. The attacker might start with obvious guesses (like “password” or “123456”) and then progress to systematically generating all possible combinations of characters until they discover the correct password.

Modern attackers harness significant computing power—from multi-core computer processing units (CPUs) to cloud computing clusters—to accelerate this process.

For example, a six-character password using only lowercase letters has 26^6 possible passwords. That’s roughly 308 million combinations. With today’s hardware, that number of guesses can be made almost instantly, meaning a six-letter weak password could be cracked immediately.

In contrast, a longer password with mixed cases, numbers and special characters yields exponentially more possibilities, greatly increasing the amount of time and effort required to guess it correctly. 

Passwords aren't the only thing at risk: brute force methods can also decrypt files or discover encryption keys by exhaustively searching the full spectrum of possible keys (also known as the "key space"). The feasibility of such attacks depends on the key length and algorithm strength. For instance, a 128-bit encryption key has an astronomically large number of possibilities, making brute forcing it virtually impossible with current technology.

In practice, brute force attacks often succeed not by cracking unbreakable ciphers, but by exploiting human factors: guessing common passwords, assuming password reuse or targeting systems with no lockout mechanism.

Brute force techniques can be applied in two contexts: online attacks (real-time attempts against live systems) and offline attacks (using stolen data, such as hashed passwords—short, fixed codes generated from passwords that are nearly impossible to reverse). 

In online attacks, the hacker interacts with a target system—such as a web application login or SSH service—and tries passwords in real-time. Attack speed is limited by network delays and defense mechanisms.

For example, rate limiting restricts the number of attempts in a given time, and CAPTCHAs are authentication methods that distinguish humans from bots. Attackers often distribute their online attempts across multiple IP addresses or use a botnet to avoid triggering IP-based blocks.

In offline attacks, the attacker already obtained the encrypted data or password hashes (for instance, from a data breach) and can use their own machines to attempt millions or billions of guesses per second without alerting the target. Specialized password cracking tools—usually open source—exist to facilitate these brute force strategies. 

For example, John the Ripper, Hashcat and Aircrack-ng are popular tools that automate brute force password cracking. These tools use algorithms to manage the onslaught of guesses and graphics processing units (GPUs) to hash and compare passwords at incredible speeds.

Brute force attacks come in several forms, each using different strategies to guess or reuse credentials to gain unauthorized access.

This approach tries all possible passwords by incrementally cycling through every combination of allowed characters. A simple brute force attack (also called exhaustive search) does not use any prior knowledge about the password; it will systematically attempt passwords like “aaaa…,” “aaab…,” and so on through “zzzz…,” including digits or symbols depending on the character set.

Given enough time, a simple brute force attack will eventually find the correct credentials through pure trial and error. However, it can be extremely time-consuming if the password is long or complex.

Rather than blindly iterating through every possible password combination, a dictionary attack tries a curated list of likely passwords (a "dictionary" of terms) to expedite the guessing. 

Attackers compile lists of common words, phrases and passwords (like “admin,” “letmein” or “password123”). Because many users choose weak passwords that are simple or based on words typically found in a dictionary, this method can yield quick wins.

A hybrid attack combines the dictionary attack approach with simple brute force methods. Attackers start with a list of likely base words and then apply brute force modifications around them. For example, the word “spring” might be tried as “Spring2025!” by adding capital letters, numbers or symbols to satisfy complexity requirements.

Credential stuffing is a specialized variant of brute force attacks where the attacker uses login credentials (username and password pairs) stolen from one breach and tries them on other websites and services. Rather than guessing new passwords, the attacker stuffs known passwords into multiple login forms, betting on the fact that many people use the same credentials across different accounts.

A rainbow table attack is an offline password cracking technique that trades computing time for memory by using precomputed tables of hashes. Instead of hashing guessed passwords on the fly, attackers use a “rainbow table”—a giant lookup table of hash values for many possible passwords—to quickly match a hash to its original password. 

In a reverse brute force attack, the hacker turns the usual attack method on its head. Instead of trying many passwords against one user, they try one password (or a small set) against many different user accounts.

Password spraying is a stealthier version of the reverse brute force technique. Attackers use a small list of common passwords (such as “Summer2025!”) across several accounts. This allows them to target multiple users without triggering lockout protections on any single account. 

Organizations can implement multiple security measures to protect against brute force attempts. Key practices include:

Each additional barrier—whether a lockout rule or encryption—can help deter brute force infiltration. By adopting a layered approach that addresses both human and technical factors, organizations can better protect against brute force attacks.