What Is a Brute Force Attack?

A brute force attack is a trial-and-error tactic used by hackers to crack login credentials, encryption keys, and hidden URLs.

As implied by their name, brute force attacks use brute force techniques in the form of endless login attempts to gain unauthorized access to private accounts, sensitive files, organizations’ networks, and other password-protected online resources. This is achieved by employing bots that continuously try different combinations of usernames and passwords to break into accounts.

Despite having been around for decades and being relatively simple, brute force attacks remain quite popular and are still commonly used by hackers due to their effectiveness. In fact, at least 80% of today’s breaches involve brute force attacks or the use of lost or stolen credentials.¹ This should come as no surprise given that there are over 15 billion compromised credentials currently in circulation on dark web forums that hackers can easily access.²

Once brute force attackers break into an account, they can:

• Collect and monitor user activity.

• Expose users to identity theft by stealing sensitive personal data, such as tax, bank account, and medical information.

• Infect a site with malware that will be installed on visitors’ devices (e.g., hijacking a device to be part of a botnet).

• Put spam ads on a website that pays the attacker per click or infect site visitors with spyware to collect personal data to be sold without consent.

• Cause reputational damage by vandalizing a site with unsavory content.

There are multiple different types of brute force attacks, all of which can be used to gain unauthorized access to online resources.

Simple Brute Force Attacks – Attackers attempt to guess a user’s password entirely on their own, without using any software programs to do so. These attacks work when implemented against users with weak passwords that are easy to guess, like “password”, “1234567890”, or “qwerty”.

Dictionary Attacks – These are the most basic form of brute force attacks. An attacker tests as many passwords against a targeted username as possible. This genre of brute force attacks is referred to as “dictionary attacks” since attackers run through dictionaries while testing passwords, often modifying words to include numbers and special characters.

Hybrid Brute Force Attacks – This attack strategy often uses a combination of simple brute force attacks and dictionary attacks. Attackers use logically guessed words and phrases paired with different combinations of letters and characters to crack an account. Examples of passwords used in this type of attack include popular combinations like “Houston123!” or “Bailey2022”.

Reverse Brute Force Attacks – With reverse brute force attacks, the attacker already knows about an existing password. They then work in reverse by testing out millions of usernames against that password to find a matching set of credentials. In many cases, the hackers use passwords that resulted from a breach and are easily accessible online.

Credential Stuffing – Also known as “credential recycling”, credential stuffing is another genre of brute force attacks in which the attacker tests username and password combinations that have been leaked or stolen from the dark web and other websites. This technique works for attacks against users who have reused their login credentials across multiple online accounts.

Passwords present inherent usability shortcomings. While short and simple passwords are easy to remember, they are also weak and easy for brute force attackers to crack. On the other hand, while creating long and complex passwords and frequently changing them can significantly increase security, they are difficult to remember and often increase the likelihood of users reverting back to reusing the same passwords across multiple websites, storing them in insecure ways, and failing to update them often.

With the average person using 191 services that require passwords or other credentials,³ most people have way more passwords to keep track of than ever before. Additionally, as many 70% of people use the same usernames and passwords across sites.⁴ This creates an easy target for criminals, and if credentials are compromised through phishing or brute force attacks on a site, hackers may also try those same username and password combinations on other sites.  

Additionally, the length of time that it takes for a brute force attack to crack a password is a factor of password complexity and the hacker’s computational horsepower, and it can range from just a few seconds to years. Common brute force attack computer programs can check up to a billion passwords per second.⁵ In other words, even though a brute force attack might take years to crack a complex password that you have created, you could still be at risk depending on how relentlessly persistent the attack is.

If history is any indicator, brute force attacks are here to stay and will likely continue to proliferate. Fortunately, multi-factor authentication (MFA) and passwordless authentication are two highly effective ways to mitigate their associated risks.

Below are three “good”, “better”, and “best” security practices that organizations and individuals can implement to lower the likelihood of falling victim to a brute force attack.

Good – Strengthening Password Security

Using strong passwords that are practically impossible to guess is the easiest (albeit weakest) way to defend against brute force attacks. Best practices when creating new passwords include:

• Using long passwords that are at least 15 characters in length.

• Creating complex passwords that include random strings of characters rather than common words.

• Including combinations of numbers, symbols, and both uppercase and lowercase letters in passwords.

• Never using the same passwords across multiple sites.

• Using password managers that automatically generate strong passwords that users don’t have to remember.

Organizations should protect passwords on the backend through the following security practices:

• Using the highest encryption rates possible, such as 256-bit encryption for passwords, before they are stored.

• Salting passwords before hashing. Salting is the practice of adding random additional characters to passwords before they are hashed.

• Limiting login attempts so that brute force attackers will be thwarted from repeatedly trying to log in after testing just a few unsuccessful username and password combinations.

• Using CAPTCHA can prevent brute force attack software programs that are unable to check a box or select which pictures out of a set contain a certain object from manually verifying their legitimacy.

Better – Multi-factor Authentication

Requiring multi-factor authentication (MFA) prevents breaches that result from brute force attacks and compromised credentials by adding an additional layer of security. As the name implies, MFA uses two or more factors (otherwise known as “credentials”) in the authentication of a user. These factors must come from at least two of three categories:

• Something you know – The passwords, PINS, or patterns that usually make up the first authentication factor are knowledge-based and can consist of challenge questions such as “What is your mother’s maiden name?”.

• Something you have – Authentication factors in this category verify that you are in possession of a specific thing. Examples include receiving a push notification or a text message on your cell phone or inserting your debit card into an ATM machine.

• Something you are or do – This MFA category usually refers to biometrics, with the most common verification methods being a fingerprint scan, facial recognition, or voice recognition.

When a user is authenticated using factors from at least two of these categories, a much higher level of confidence can be associated with that user. As a result, no matter how a hacker gains access to a user’s credentials – be it through a brute force attack or other means – MFA will render those credentials useless. This is because the hacker will be unable to complete the additional required verification(s) –  be it a push notification or a facial recognition scan – on the actual user’s specific (i.e., trusted) device to let them in.

Best – Passwordless Authentication

Passwordless authentication is another solution that can stop brute force attackers dead in their tracks. It is not a specific product or capability but rather a desired outcome that reduces friction and offsets security risks (such as brute force attacks) by either minimizing or outright eliminating the usability issues typically associated with passwords.

Whereas MFA verifies a user’s identity through extra authentication steps in addition to passwords, passwordless authentication grants access to resources through authentication factors other than passwords, such as email push notifications, email OTPs, QR codes, FIDO security keys, or biometric factors like fingerprint scans and facial recognition. In other words, passwordless authentication renders the efforts of brute force attackers obsolete by eliminating the pitfalls associated with the login credentials that they prey on.

Some of the most prominent benefits associated with MFA and passwordless authentication include:

• Stronger security – By requiring additional authentication factors or outright eliminating passwords, even brute force attackers who have successfully compromised a user’s credentials cannot gain unauthorized access to their account. 

• Better user experiences – These methods allow frictionless, streamlined transactions and reduced customer abandonment rates (particularly for customer identity & access management).

• Improved workforce productivity – Eliminating passwords also eliminates the need for users to reset their passwords if doing so periodically is company policy. This effectively increases productivity by reducing both frustration and downtime among workers.

• Cost savings – These methods reduce the burden on helpdesks and the associated costs whenever a user has forgotten their password. Additionally, since push notification and biometric authentication factors rely on a user’s smartphone, MFA and passwordless authentication also eliminate the costs associated with replacing hard tokens and/or smart cards.

Ping Identity protects organizations from brute force attacks through the PingOne Cloud Platform, a cloud solution that combines no-code identity orchestration with authentication, user management, and adaptive MFA services, as well as single sign-on and passwordless authentication to help organizations build, test, and optimize seamless and secure customer experiences.

To learn more about passwordless authentication, check out the Getting Started on Your Passwordless Journey White Paper.

1 Verizon 2020 Data Breach Investigations Report

2 From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover, Digital Shadows, 2020

3 From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover, Digital Shadows, 2020.

4 Griffith, Eric, “Stop Using the Same Password on Multiple Sites! No. Really” PCMag, Sept 21, 2021.

5 https://nordpass.com/blog/brute-force-attack/