Article

What is a brute force attack?

Security
Time to read: 14 minutes

Definition of a brute force attack

A brute force attack is an approach taken for cyber attacks in which an attacker checks a vast number of potential passwords or keys to try to find one that works. The term brute force signifies the lack of finesse in this approach, relying instead on the strength of repetitive attempts rather than exploiting specific software vulnerabilities or employing more sophisticated hacking techniques.

Usually, this method relies on hefty computational power and the assumption that, given enough attempts, any password or cryptographic key can eventually be guessed.

Brute force attacks can be time-consuming and are bounded by the complexity of the password or encryption key.

The length and complexity of the target credentials directly impact the feasibility of the attack. Short passwords and those that use common words or names are, obviously, significantly more vulnerable than complex and longer ones.

Newer encryption algorithms and strong password policies are designed to counter brute force attacks. The idea is to increase the time and computational resources required to a point where such attacks become impractical.

Types of brute force attacks

There are several types of brute force attacks that vary in approach and efficiency. Each of these is some iteration of the underlying method of gaining unauthorized access by systematically guessing passwords, personal identification numbers (PINs), or cryptographic keys.

The following are the main types of brute force attacks.

Simple brute force attacks

In this type of brute force attack, attackers use all combinations of characters until the correct password is discovered. This method is generally the slowest form of brute force attack. It is almost always facilitated by automated software that can generate and test thousands of password combinations per second.

Although it is time-consuming and inefficient, a simple brute force attack can be highly effective, especially against weak passwords, the most common of which are 123456, password, 111111, pa$$word, abc123, Password1, test, guest, and Welcome@123.

Credential stuffing

Although not a brute force attack in the traditional sense, credential stuffing involves taking advantage of known username and password combinations obtained from previous data breaches and testing them on different websites. Credential stuffing takes advantage of the common practice of reusing passwords across multiple accounts.

Dictionary attacks

This technique uses a list of common passwords or words found in a dictionary. Attackers leverage the fact that many users choose weak, common passwords, making it quicker than trying every possible combination.

Often, these attackers use a list of pre-determined guesses, often compiled from lists of common passwords, standard dictionary words, and frequently used password phrases. This method exploits the tendency of users to use simple words as passwords.

Hybrid brute force attacks

A combination of brute force and dictionary methods, hybrid brute force attacks modify dictionary words with numbers, symbols, or changes in capitalization to guess passwords that are slightly more complex but still based on common patterns. This type of attack is effective against passwords that use common substitutions or additions to dictionary words.

Mask attacks

Mask attacks are a more targeted form of brute force attacks where the attacker has some knowledge about the password structure (e.g., length, use of certain symbols, or prefixes). By applying masks or patterns, the attacker can reduce the number of guesses needed to crack the password.

Rainbow table attacks

Rather than guessing passwords, a rainbow table attack uses precomputed tables of hash values for every possible password. By comparing the hash value of the targeted password with the values in the table, the attacker can find matches without having to compute them during the attack, effectively bypassing simple hash-based password protection.

This method is effective against systems that use unsalted hash functions, which do not add random data (i.e., salt) to a password before hashing for password storage.

Reverse brute force attacks

Unlike traditional methods that start with a known username and guess the password, reverse brute force attacks begin with a known password or a list of likely passwords and attempt to find the username that matches. This approach leverages the fact that many users reuse their passwords across multiple accounts.

Rule-based attacks

A rule-based attack is a sophisticated type of brute force attack where attackers apply a set of predefined rules to modify common passwords or dictionary terms during their attempts to crack passwords. This method allows attackers to efficiently test variations of passwords by incorporating common substitutions, additions, capitalizations, or leet-speak (informal language or code in which standard letters are replaced by numerals or special characters that resemble the letters in appearance) alterations. For instance, a rule might replace the letter “o” with the number “0” or add specific numbers or symbols to the end of a basic word.

Rule-based attacks are highly effective because they exploit predictable patterns in password creation, enabling attackers to breach accounts with complex passwords that might otherwise withstand simple dictionary or brute force attacks.

Why brute force attacks occur

Brute force attacks occur due to a combination of technological vulnerabilities, human behavioral patterns, and the evolving landscape of digital security. These attacks exploit the fundamental mechanism of authentication systems that rely on secret knowledge for access control, targeting the weakest link in security—the tendency to use easily guessable passwords or the computational feasibility of enumerating every possible key.

One primary reason brute force attacks are prevalent is the simplicity and cost-effectiveness of the method.

Attackers can easily access significant computational power to automate these attempts, making the process of guessing even complex passwords increasingly feasible. The proliferation of cloud computing and the availability of specialized hardware have lowered the barriers to executing such attacks, enabling even relatively unsophisticated attackers to attempt brute force methods against secured systems.

Human factors significantly contribute to the effectiveness of brute force attacks. Many users prioritize convenience over security, choosing simple passwords that they can remember. Unfortunately, these are also easily guessable.

Common practices that are exploited by attackers include using dictionary words, predictable patterns (e.g., password, 123456, or qwerty), personal information (e.g., birthdates and names), or repeating the same password across multiple accounts.

The issue of brute force attack efficacy is exacerbated by the widespread problem of password reuse. When attackers obtain a password from one breach, they can use it to gain access to other accounts belonging to the same user on different platforms (i.e., credential stuffing). This method is effectively a reverse brute force attack, applying known passwords to different usernames or services and exploiting the lack of unique passwords for different accounts.

Technological vulnerabilities also play a role. Many systems and applications do not implement sufficient rate-limiting or account lockout mechanisms after several failed login attempts. This allows attackers to make repeated guesses without being blocked.

The sheer volume of personal and professional life conducted online is also a factor as it increases the number of targets for brute force attacks. As more services require login credentials, the opportunity for attackers grows.

This, coupled with the vast amounts of personal data available publicly or through data breaches, helps attackers create more effective brute force or dictionary attacks. Using known personal information, attackers can tailor their guesses to the likely interests, habits, or personal details of the target.

Legacy systems and outdated security protocols in some organizations also contribute to the efficacy of brute force attacks. Many of these systems rely on older, weaker encryption methods. In other cases, password policies have not been updated to require strong, complex passwords.

Tools used in brute force attacks

Brute force attacks leverage various tools designed to automate the process of guessing passwords, encryption keys, or PINs. These tools vary in sophistication, speed, and customization, catering to different aspects of brute force attacks— from simple password cracking to more complex cryptographic key discovery.

Below are some of the most common tools in brute force attacks.

Aircrack-ng

Focused on network security, Aircrack-ng is a suite of tools used for assessing Wi-Fi network security. It includes functionalities for monitoring, attacking, testing, and cracking Wi-Fi networks. It can capture packets, export data to text files for further processing by third-party tools, and even crack WEP and WPA-PSK keys. Aircrack-ng primarily leverages simple brute force and dictionary attacks.

Brutus

A Windows login cracker is one of the oldest yet most effective brute force tools. Brutus supports multi-stage authentication engines and can connect 60 targets simultaneously. It supports multiple protocols, including HTTP (hypertext transfer protocol), FTP (file transfer protocol), and SMB (server message block), and cracks passwords over the internet.

Hashcat

Known as the world’s fastest and most advanced password recovery utility, Hashcat supports multiple algorithms and has at least five unique modes of attack for over 200 highly optimized hashing algorithms. It can execute various types of attacks, including brute force, dictionary, hybrid, mask, and rule-based attacks, making it highly versatile for cracking complex hashes.

Hydra

Widely recognized for its fast and effective password-cracking capabilities, Hydra allows simultaneous attempts at cracking multiple accounts and is an effective tool for conducting brute force attacks on web applications. It is designed to rapidly guess passwords to authenticate with remote servers using several brute force attack options.

John the Ripper

John the Ripper is open-source software, initially designed for Unix-based systems, that now works on many other platforms. It is known for its ability to automatically detect password hash types and includes several customization options, making it a versatile tool for brute force attacks.

John the Ripper’s ability to be customized with various modes and plugins makes it highly effective for cracking complex passwords.

L0phtCrack

L0phtCrack is a sophisticated password auditing and recovery tool known for its ability to crack Windows passwords. It operates by exploiting vulnerabilities in the way Windows stores password hashes, employing a variety of techniques to crack them. These techniques include brute force attacks, dictionary attacks, hybrid attacks, and rainbow table attacks to accelerate the cracking process.

The tool can import passwords hashed in Windows-supported formats from multiple sources, including local and remote machines, Active Directory stores, and network captures.

Medusa

Medusa is a fast and highly effective brute force attack tool designed for remote systems. It is parallelized, meaning it can perform concurrent attacks on multiple hosts, services, and accounts, significantly speeding up the process.

Ncrack

Ncrack was designed for high-speed network password cracking. It can perform parallelized and efficient brute force attacks that uncover weak credentials that could compromise network security.

Ophcrack

Specializing in cracking Windows passwords, Ophcrack uses the rainbow table attack approach to reverse cryptographic hash functions. It is particularly effective for cracking LM (local area network manager) and NTLM (new technology LAN manager) hashes found in Windows systems.

Patador

Patator is a versatile and flexible brute force attack tool that supports a wide range of services and protocols.

Patator’s effectiveness is not just in its versatility but also in its efficiency. It uses a thread-based approach to perform fast and concurrent attempts.

This approach maximizes the chances of discovering weak passwords across a range of services and systems within a relatively short timeframe. Additionally, Patator includes functionalities to evade lockout policies and CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) protections, further enhancing its efficacy for brute force attacks.

RainbowCrack

Instead of traditional brute force attacks, RainbowCrack uses a time-memory trade-off algorithm to crack hashes. It precomputes rainbow tables for a range of character sets and hash algorithms, significantly speeding up the process of cracking password hashes. This significantly reduces the time required to crack a password by precomputing all possible hash combinations in advance.

Preventing a brute force attack

Each type of brute force attack exploits different weaknesses in password security practices or system configurations. The best defense revolves around passwords, but there are other measures that can be taken to prevent a brute force attack, including the following.

Account lockout

Preventing repeated login attempts helps prevent brute force attacks. Account lockout mechanisms temporarily disable an account after a certain number of unsuccessful login attempts, thwarting repeated guessing efforts.

Encryption

Strong encryption algorithms increase the number of possible combinations exponentially, making brute force attacks impractical due to the immense time and computational power required. Encryption can also protect against the impact of successful brute force attacks.

By encrypting sensitive data, even if an attacker gains access to the data, they cannot read it without the encryption key, which, as noted, is extremely difficult to crack because of its complexity and length.

Multi-factor authentication

Multi-factor authentication (MFA) can be used as a complement to passwords, providing additional verification challenges before granting access.

Strong passwords

Implementing strong, complex passwords that are difficult to guess and changing them regularly can significantly mitigate the risk. Also, it is important to use unique passwords for different accounts and services.

Tracking login attempts

Login attempts can be monitored, and alerts can be sent when unusual or repeated login attempts are detected.

Brute force attack FAQ

Following are several of the most frequently asked questions about brute force attacks.

Are brute force attacks legal?

Brute force attacks are generally considered illegal, as they are often used to gain unauthorized access to systems, data, or networks. These actions violate various laws and regulations designed to protect digital privacy and security (e.g., the Computer Fraud and Abuse Act in the United States).

However, brute force techniques can be legally employed in ethical, authorized hacking and security testing scenarios.

How often do brute force attacks occur?

Brute force attacks are among the most common cybersecurity threats. Cybersecurity firms and researchers consistently report thousands of brute force attempts each day.

However, their precise frequency in reporting makes it difficult to quantify the scale of targets (e.g., individuals, corporations, and government entities), many of whom do not know that the attacks occurred.

What does it mean to “crack” a password?

Cracking a password means deciphering or guessing a password successfully.

What is an encryption key?

This key is central to the cryptographic process. It enables the secure transmission and storage of information by making it unreadable to unauthorized users.

Encryption keys come in various lengths and types, such as symmetric keys (i.e., the same key is used for both encryption and decryption) and asymmetric keys (i.e., a public key is used for encryption and a private key for decryption).

The security of encrypted data heavily relies on the secrecy and complexity of the encryption key.

Don’t underestimate brute force attacks

As illustrated, brute force attacks, while mostly the most sophisticated cyber attacks, persist because they are effective. The implications of a brute force attack go beyond theft or fraud targeting individuals. Brute force attacks can allow attackers to gain access to critical systems, causing dangerous and expensive disruptions.

Fortunately, brute force attacks are one of the easier types of cyber attacks to prevent. Follow best practices and take advantage of the many solutions available to stop them.

Unleash the power of unified identity security

Mitigate cyber risk across the spectrum of access

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief