What is Brute Force Attack?

A Brute Force Attack is an attempt to break the code (password, passphrase, encryption key, etc.) by consecutively trying all possible character combinations until the right one is found.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner and Online Virus Scanner.

What is a Brute Force Attack? ⚔ Definition, Types & How It Works

Brute Force Attack

June 22, 2023

We all face situations when we cannot remember the password and chaotically try any password that could ever be used. The happiness when you finally find it is hard to describe. And only a small group of people know that what they did was manual "brute force".

A brute force attack attempts to break the code (password, passphrase, encryption key, etc.) by consecutively trying all possible character combinations until the right one is found. Such an attack can be characterized as systematic guessing. In cryptography, the “brute force” term reflects virtually unlimited time or computing power the hacker needs to perform the attack effectively, not the nature of the code breaker’s interaction with the targeted system.

Brute Force Scheme

An exhaustive search method, brute force plays a symbolic role in cryptography. Although it is the slowest code-breaking method, it is also the purest in its artless efficiency. Thus, the capacity of a cryptographic protection method (or a particular password or key) against the brute force attack can serve as a criterion of its effectiveness.

Strengths and Weaknesses of Brute Force

As noted above, brute force attacks are virtually impossible to repel. Breaking the password may take years for the offenders. However, they will eventually succeed. Therefore, all protective measures against disputed attacks (except for highly impractical implementations of unconditional security) can be reduced to making brute force useless. And that is relatively easy to do.

Imagine a four-digit code. It will take a human a lot of time to test ten thousand variants to see which one is correct. However, a computer will find the needed combination in less than a second. Regardless of such evident computational dominance of a machine over a human, a strong password will make this advantage irrelevant. An 18-character password featuring lower and upper case letters, digits, and special symbols will keep even the most powerful computer busy for millions of years.

This table shows the difference in the time it takes to hack passwords differing in strength.

Brute Force Effectiveness
Brute Force Effectiveness

Encryption keys used for secure communications can be targeted for hacking attacks as well as passwords, but they are, in the same way, unreachable for brute force attacks nowadays. Bit strings for scrambling transmitted data and unscrambling it upon reception, encryption keys can be pretty long, and breaking them is also a difficult task. For example, AES (advanced encryption standard) featuring 256-bit encryption keys makes reaching the encoded traffic in a reasonable time impossible.

It is a state of affairs for modern broad-market machines. The progress won't cease, though. Quantum computers brought to the world will jeopardize today's best classical encryption methods. IBM's already existing 100+ qubit quantum computer and its successors are impending rivals for 256-bit encryption schemes, most likely to render them obsolete. Ciphering the "classic" machine will take ages to decrypt, but it will be a piece of cake for the powerful quantum computer. Fortunately, such computers will likely be too expensive to be available for everyone.

Modern Technical Issues

Besides strong passwords and long encryption keys, various technical solutions oppose brute force attacks. The programs that receive and check passwords, online or offline, have security measures against brute force. These are CAPTCHA (a well-known quick anti-robot test,) a programmed delay between allowed attempts to enter a password, IP/account blocking if password-guessing becomes evident, etc.

Typical error the brute force actor spectates during the attack
Typical error the brute force actor spectates during the attack

Another brute force countermeasure is data obfuscation which applies to encrypted data. It is an additional technique wherein data is altered by certain algorithms that obscure information for the human eye. Obfuscation has nothing to do with the encryption itself. However, it might save data from being recognized as correctly decrypted or prevent the decrypted information from timely usage by hackers.

What Is Brute Force Good For Then?

What's the point of such an attack if there are so many things that make it useless? - you might ask. That's a reasonable question. The answer is that, although surrounded by outstanding technical protection measures, the human user provides the most critical vulnerability. Few people follow password-related safety rules unless the technology doesn't make them obey prescribed security regulations, of course. Large tech companies, like Apple or Microsoft, takes care of that, but not all companies do so. Passwords like "123" or featuring pet names are still very widespread. Why is it dangerous and hands-untying to brute force attackers is coming up further.

Tools for Brute Force

The Brute Force Attackers use various tools to access your systems. You can use these brute-force attacking tools themselves for penetration.

The penetration test is the practice of trying to check your computers using the same ways hackers do. These tools can help you to make you able to identify low-security holes.

Name Description Language Price
Hydra Brute Force tools for login cracking used either on Linux or Windows/Cygwin. In addition: Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10), and macOS. Hydra supports many protocols such as AFP, HTTP-FORM-GET, HTTP-GET, HTTP-FORM-POST, HTTP-HEAD, HTTP-PROXY, and more. C 🆓
Gobuster Gobuster used to brute-force:
  • URIs in web sites.
  • DNS subdomains.
  • Virtual Host names on target web servers.
  • Open Amazon S3 buckets.
Go 🆓
BruteX Brute force all services running on a target:
  • Open ports.
  • Usernames.
  • Virtual Host names on target web servers.
  • Passwords.
Bash 🆓
Dirsearch An advanced command-line tool designed to brute force directories and files in webservers (web path scanner). Python 🆓
Patator Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors. Phyton 🆓
Pydictor Pydictor is a dictionary builder for a brute-force attack. Phyton 🆓

Types of Brute Force Attacks

The hackers have developed tools to use the computational powers of the brute force method but avoid its disadvantages. A simple brute force attack uses no outside logic. Since it is not supposed to be successful at hacking strong passwords, hackers should narrow the application area of the brute force method. And they did it. The brute force mechanism spends time and resources on myriads of variants irrelevant to what it can be successful against. However, the method’s variations listed further can be successful against weak or lexeme-based passwords.

Hybrid Brute Force Attack

This type of attack uses a previously gathered set of words and digit combinations, candidates for password bases. It works as a usual brute force attack but concentrates efforts only on variations of the words in the list. The addition to the simple brute force hacking program, in this case, is software that produces the mentioned variations. Hybrid attacks are effective against weak passwords (“111,” “123456”) or name-based passwords combined with numbers (“Richard2000”).

Dictionary Attack

A dictionary attack is an older version of a brute force hybrid attack, or, better to say, what a brute force attack must be combined with to become a hybrid attack. Dictionary attacks are machine-quick trying of different words. It might either be scrolling through a dictionary or using pre-gathered word lists.

Rainbow Table Attack

It is a special variant of lookup tables for reversing cryptographic hash functions. It uses the mechanism of a reasonable compromise between the time of the search (by the table) and the memory it takes to do it. Rainbow tables are used to crack passwords that underwent hashing and attack open-text-based symmetric ciphers. The method is based on the fact that different passwords can produce the same hash. If the malefactors know the hash value, they can use the tables to find the password relatively quickly.

Reverse Brute Force Attack

If criminals lay hands-on leaked passwords but don't know for which login are these passwords, they begin login picking. It is executed the same way as usual brute force attacks on passwords, but it targets the login field. That's where the name of the method comes from. Hackers may also try to check whether any of the clients of a certain service or network uses widespread passwords like "qwertyuiop". However, that is not so effective when there is a possibility to find the login with the use of OSINT - just by searching the email address or username related to the place you're trying to get in via brute force. Another way to get this kind of information is social engineering - and that is exactly what people do.

Credential Stuffing

Since people often use the same passwords and even login-password pairs on different websites, as soon as any of these pairs get in possession of malefactors, the latter can use credential stuffing to test whether these hacked credentials work for any other websites. This process is automated, and hackers can surely add word variation production.

Motivation for Brute Force Attacks

As you have probably noticed, sometimes malefactors attack precise users and their particular accounts, but sometimes they attempt to hack something randomly. Although codebreakers might seem uncertain about their goals, the cybercriminal world is diverse. Thus, crooks will use any hacked account, mailbox, or device. If it is a spear attack, and offenders get what they hunted for exactly, - that's a big win. The victim should be ready to suffer reputational, financial, or political losses. However, if hackers manage to hack at least something, they will know what to do. Gathering information, identity theft, or malware installation (coin miners, ransomware, botnet software, etc.) is very likely to happen. Hackers can monetize any of the named activities on respective black markets.

How to Prevent Brute Force Attacks?

The following security measures will effectively make brute force attacks pointless:
  • Use strong passwords. A lot of services offer you the recomendation on the strong passwords - do not neglect them;
  • Change passwords regularly. It can be leaked regardless of your password strength. To avoid account hijack, it is better to change the passwords at least twice a year. That's especially needed when you use the same or similar password for multiple services;
  • Use 2-factor authentication. This option will require confirmation of your identity via your another device after you (or an attacker) enter a correct password;
  • Progressive delays in case of wrong password input, CAPTCHA procedures, and account lockouts (when the wrong password is tried over a certain number of times) are also good security features. You can activate them if you administer a workgroup.

Frequently Asked Questions

Do hackers only use Brute Force?
No, you'll probably not believe this, but you're using that method, too. This happens when you forget your password and scroll through different combinations to find your exact password. So it is wrong to say that this method is only malicious and is used only by intruders.
Is Brute Force Attack Legal?
The answer to this question is obvious. Any intrusion into private property without the permission of the owner is already considered illegal. The fact that a fraudster manages to log into a user’s account using the same password does not give him privileges and exempts him from responsibility for what he has done. But also do not forget that illegality appears not only when intruders enter a hacked account, but also when they just look for passwords Let’s also not forget that the attacker targets sensitive data, steals it, and does whatever he wants. It can sell them to third parties, compromise the user of the data received and even get credit in the user name. All these actions are unauthorized and illegal. So if you ever think about hacking someone’s account, you know you’re enacting privacy laws.
How are brute force attacks used?
Brute-force attacks are used to retrieve any user information, these can be password phrases, personal identification numbers, passwords, user names. In order to pull off an attack and succeed in it, attackers use hack apps, different scenarios, in which they look for different combinations of what they need. This attack also involves positive goals, for example, IT experts use it to make checks in network security.
How long does it take to crack a password?
It is believed that brute force involves a long period of password cracking. This is due to the fact that the methods for its implementation require a lot of effort when choosing the right combination and time for all this. According to recent researches, even a complicated 8-digit password, with different characters and letters can be hacked. It can be done by a hacker in about eight hours using a high-end PC. But it should be noted that this is also about the method used by the intruder in the hacking. If the combination is made by the computer, then the situation with the hack can be solved instantly.
Have password managers ever been hacked?
Password manager is a common name of software that aims to help the user to choose and keep passwords or PINs. The database of such programs often contains all the encrypted password data. By itself, a password manager is just a software, same as any other one, and thus can contain vulnerabilities. If hackers are skilled enough and did diligent research, they actually can hack password management software.