What Is a Brute Force Attack?

A brute force attack is one of the simplest yet also one of the most effective cyberattacks in a cybercriminal’s playbook. It’s like when you don’t know the password combination to a suitcase and try every digit until you can bypass the security system with the correct combination.

In a brute force attack — cybercriminals submit various usernames and passwords until they can enter a system through trial and error. Usually, brute force attackers use many computers. With greater processing power, they’re more likely to carry out a successful brute force attack.

How do you defend against brute force attacks? Here are some security measures that can help:

  • Long passwords
  • Sophisticated passwords
  • Limited login attempts
  • Two-factor authentication
  • CAPTCHA

What are the types of brute force attacks?

A cybercriminal tries every combination until they hack into a system in the most conventional type of brute force attack. Let’s look at a few other types of brute force attacks:

  • Reverse Brute Force Attacks: During a reverse brute force attack, a hacker only uses a curated list of passwords against various accounts instead of using every possible combination. With such an attack, a hacker hopes that at least one targetted account uses a common password like “123456” or “qwerty123”.
  • Credential Stuffing: This type of brute force attack has a greater chance of success because a hacker uses a set of stolen credentials instead of random passwords. Usually, threat actors buy stolen credentials from the dark web.
  • Rainbow Table: Hackers use a rainbow hash table to break passwords in a database in a rainbow table attack. In cryptography, a rainbow table is a hash function that stores critical data.
  • Dictionary Attacks: A dictionary attack uses every word in the dictionary, commonly used passwords, pet names, and more to guess a password. A sophisticated dictionary attack may also swap certain letters for symbols in a word.
  • Hybrid attack: Hackers sometimes mix and match dictionary attacks with conventional brute force attacks in potentially more effective attacks called hybrid attacks.

What tools do brute force attackers use?

Hackers use various special tools to launch brute force attacks, including automated software, scripts, and bots. While their automated software allows them to make their tasks less labor-intensive, botnets help them brute force millions of targets worldwide.

What are brute force botnets? 

A malicious bot is an autonomous program that infects computers, while a botnet is a network of bots. Many infected computers and devices are parts of malicious botnets without their owners knowing it. A brute force botnet is a botnet that carries out brute force attacks.

Are brute force attacks illegal?

Brute force is a technique that someone can use for good or evil. For example, it’s not illegal for someone to use a brute force attack to test a network’s security with the owner’s consent. However, it’s illegal for anyone to use a brute force attack for unauthorized activity such as breaking into accounts, which can result in jail time.  Brute force attacks are prevalent because they’re low-cost, low-risk, and present a fair chance of success for the attacker. However, cybersecurity specialists are developing modern countermeasures to reduce their effectiveness.