A brute force attack is a trial-and-error technique used to crack passwords, encryption keys, or authentication credentials by systematically testing every possible combination until one works. The attacker uses automated software to submit repeated login attempts, often starting with common passwords or dictionary words before progressing to random character combinations.
These attacks succeed because most systems lack sufficient throttling or lockout mechanisms. An attacker might try 10,000 password combinations per second against a vulnerable server, making it feasible to crack weak or moderately complex passwords within hours or days.
Why it matters: Brute force attacks remain one of the most prevalent security threats. Web servers, email accounts, FTP sites, and routers are frequent targets. The simplicity and low technical skill required make this attack accessible to novice hackers, whilst the high volume of attempts makes defending difficult without proper safeguards.
Common variations include:
- Dictionary attacks: testing words from standard dictionaries or leaked password databases
- Credential stuffing: using email and password pairs stolen from previous breaches against other platforms
- Reverse brute force: targeting many accounts with a single common password rather than one account with many passwords
How to protect yourself: Use long, random passwords with mixed character types. Enable multi-factor authentication (MFA) on important accounts, which blocks access even if a password is cracked. Choose services that implement account lockouts after failed attempts, rate limiting, and CAPTCHA challenges. Use a password manager to maintain unique passwords across accounts.