What Is a Brute Force Attack?

A brute force attack is a type of account takeover attack. It uses trial and error to attempt to guess passwords or other secrets that would grant access to restricted content.

In a brute force attack, the attacker tries each possible value for a password or other secret in an attempt to identify the correct one. These attacks are guaranteed to succeed eventually but can be made infeasible by using strong passwords or implementing multi-factor authentication (MFA).

Read the Security Report Learn More

How Does a Brute Force Attack Work?

A brute force attack relies on the fact that — if a password exists — the attacker will be able to guess it eventually. For example, if a user has an eight-character password, an attacker who tries every possible eight-character password will eventually stumble upon the correct one. The main limitation of brute force attacks is that they can be very time-consuming to perform. While automated brute forcing tools can try many passwords per second, a long random password can take millions of years or more to crack.

However, many passwords lack this level of security, making brute force a feasible attack vector. If the attacker successfully identifies the correct password, they gain access to the user’s account, allowing them to steal data or money, infect systems with malware, or take other malicious actions.

Types of Brute Force Attacks

A brute force attack is defined by the act of guessing various passwords until the attacker identifies the correct one. There are a few different types of brute force attacks, including:

  • Simple Brute Force Attack: In a simple brute force attack, the attacker exhaustively checks every possible password candidate. For example, they may try aaaaaaaa, aaaaaaaab, etc.
  • Dictionary Attack: A dictionary attack works off of a list of common dictionary words and breached passwords. These passwords are often subjected to simple transformation as well, such as adding numbers at the end of a word or substituting special characters (@ for a, etc.)
  • Hybrid Brute Force Attack: A hybrid brute force attack combines a dictionary attack and a simple brute force attack. The attacker first tries to guess the user’s password using a dictionary before moving on to a simple brute force attack if that is unsuccessful.
  • Reverse Brute Force Attack: In a reverse brute force attack, the attacker starts with a known or common password. They then search for usernames that are using that password.
  • Credential Stuffing Attack: In a credential stuffing attack, the attacker tries credentials breached for one site on other sites. This attempts to identify password reuse across various different accounts.

How to Prevent Brute Force Password Attacks

Brute force password guessing attacks pose the risk of successful account takeover. Some ways to protect against these threats include:

  • Strong Passwords: Brute force password attacks rely on the fact that a password can be guessed within a reasonable amount of time. Using a long, random password increases the complexity and time required for a brute force attack.
  • Salted Hashes: Salting involves combining each password with a unique random value before hashing and storing it. This helps to ensure that identical passwords don’t have identical password hashes, making them more difficult to detect and crack.
  • Rate Limiting: Online brute force attacks involve testing passwords against a live login page. Implementing rate limiting — i.e. only allowing a certain number of login requests per minute — makes these attacks slower and less effective.
  • Account Lockouts: Account lockouts prevent access to a user’s account — even with a correct password — after a certain number of failed login attempts. This helps to disincentivize brute force attacks and dramatically reduces their likelihood of success since an attacker only has a few guesses to find the correct password.
  • Two-Factor/Multi-Factor Authentication (2FA/MFA): 2FA/MFA requires two or more different authentication factors to gain access to a user’s account. For example, MFA may require an attacker to guess or steal both a password and a one-time password (OTP) generated by an authenticator app.
  • Behavioral Analytics: An organization can use behavioral analytics to identify suspicious behavior related to user accounts. For example, a large volume of failed login attempts indicates an attempted brute force password guessing attack.
  • IP Blocklisting: An attacker can also explicitly block traffic from certain, known-bad IP addresses. This can make it more difficult for a botnet to perform a brute force password guessing attack.

Defending Against the Modern Cyberattack

The cyber threat landscape has evolved rapidly in recent years. While brute force attacks are an old threat, modern technology makes them more effective than they were in the past. As a result, a brute force attacker has a higher chance of gaining access to a user’s account and stealing money or data.

However, account takeover is only one cyberattack that organizations face. For more information about the current cyber threat landscape, check out Check Point’s 2023 Mid-Year Cyber Security Report. Today, organizations face the Fifth Generation of cyberattacks, which are larger and more sophisticated and stealthy than ever before. Learn more about protecting against the Gen V cyber threat with Check Point.

Get Started

Protecting your password: Create an unbreakable one

Gen-V Cyber Security

Private Access ZTNA

Related Topics

Types of Cyber Attacks

Two Factor Authentication (2FA)

Cyber Security

What is a Cyber Attack

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK