A brute-force attack is a trial-and-error method that systematically attempts every possible combination of characters, passwords, or keys to find the correct one. It is one of the simplest attack techniques conceptually but can be highly effective against weak passwords, short keys, or systems that lack proper rate limiting and lockout mechanisms.
How It Works
In its simplest form, a brute-force attack against a login form tries every possible password combination starting from "a", "b", through "aa", "ab", and so on until the correct password is found. Pure brute force is computationally expensive, so attackers typically use optimized variations. Dictionary attacks try common passwords and words from wordlists. Hybrid attacks combine dictionary words with numbers and special characters. Rule-based attacks apply transformations like capitalizing the first letter or appending the current year to dictionary words.
The speed of a brute-force attack depends on the target. Attacking an online login form is limited by network latency and server response time, typically allowing hundreds or thousands of attempts per minute. Attacking an offline password hash, where the attacker has stolen the database, removes the network bottleneck entirely, enabling billions of attempts per second with modern hardware against weak hashing algorithms.
Defenses against brute-force attacks include account lockout policies (temporarily disabling accounts after several failed attempts), progressive delays (increasing the wait time between allowed attempts), CAPTCHA challenges (requiring proof of human interaction), and strong password hashing algorithms like bcrypt that are intentionally slow to compute. Multi-factor authentication effectively neutralizes brute-force attacks because knowing the password alone is insufficient.
Why It Matters
Brute-force vulnerabilities are commonly found during security assessments. Missing rate limiting on login endpoints, password reset forms, or OTP verification pages allows attackers to automate credential guessing at scale. Even strong password policies are insufficient if the application does not limit the rate of authentication attempts, making brute-force protection a critical control to validate.
Need your application tested? Get in touch.