Back to Learn

Brute Force Attacks | NOC.org

What Is a Brute Force Attack?

A brute force attack is a trial-and-error method used to gain unauthorized access to systems, accounts, or encrypted data by systematically trying every possible combination of credentials until the correct one is found. It is one of the oldest and most straightforward attack methods in information security, and it remains effective because of weak passwords, poor authentication controls, and the ever-increasing computational power available to attackers.

The term "brute force" reflects the approach: there is no clever exploitation of a vulnerability or sophisticated social engineering. The attacker simply tries one password after another — thousands, millions, or billions of attempts — until one succeeds. The success of the attack depends entirely on the password's complexity, the attacker's computational resources, and the defenses in place to limit or block repeated attempts.

Types of Brute Force Attacks

Simple Brute Force (Exhaustive Search)

A simple brute force attack tries every possible combination of characters up to a given length. For a 6-character password using lowercase letters only, there are 266 = 308,915,776 possible combinations. A modern GPU can test billions of hashes per second against an offline password database, meaning a 6-character lowercase password is cracked in under a second.

The time required grows exponentially with password length and character set size:

Password Characteristics Possible Combinations Approximate Time (10B guesses/sec)
6 chars, lowercase 308 million Less than 1 second
8 chars, lowercase + digits 2.8 trillion ~5 minutes
8 chars, mixed case + digits + symbols 6.6 quadrillion ~7.5 days
12 chars, mixed case + digits + symbols 4.7 sextillion ~15,000 years
16 chars, mixed case + digits + symbols 3.4 x 1031 ~100 trillion years

These figures assume offline cracking (where the attacker has a copy of the hashed password database). Online attacks against live systems are orders of magnitude slower due to network latency and server-side rate limits.

Dictionary Attacks

A dictionary attack narrows the search space by using a pre-compiled list of likely passwords rather than trying every possible combination. These wordlists are built from:

  • Common passwords: Lists like "rockyou.txt" (from the 2009 RockYou breach) contain millions of real passwords that people have actually used. The top 1,000 most common passwords account for a disproportionate percentage of all accounts.
  • Language dictionaries: Every word in the English dictionary (or other languages), combined with common substitutions (e.g., "p@ssw0rd" for "password").
  • Pattern-based lists: Passwords following common patterns like "Summer2024!", "Company123", or keyboard patterns like "qwerty123".
  • Previously breached passwords: Passwords collected from prior data breaches, aggregated into massive wordlists containing billions of entries.

Dictionary attacks are far faster than exhaustive brute force because they prioritize the passwords people actually choose, which are far fewer than the total possible combinations.

Credential Stuffing

Credential stuffing is the automated injection of stolen username-password pairs — obtained from previous data breaches — into login forms on other sites. The attack exploits the fact that most people reuse passwords across multiple services. If a user's email and password were exposed in a breach of Service A, the attacker tries those same credentials on Service B, Service C, and hundreds of other services.

Credential stuffing is one of the most prevalent attack techniques today because:

  • Billions of stolen credentials are freely available on the dark web.
  • Password reuse rates remain extremely high — studies consistently show that over 60% of people reuse passwords across sites.
  • Automated tools like Sentry MBA, OpenBullet, and custom scripts make it trivial to test millions of credential pairs across thousands of sites.
  • Each login attempt uses a valid username-password format, making it difficult to distinguish from legitimate traffic.

Reverse Brute Force

In a reverse brute force attack, the attacker starts with a known common password (e.g., "Password123") and tries it against a large number of usernames or accounts. This approach avoids triggering per-account lockout mechanisms because each account only sees a single failed login attempt. It is particularly effective against organizations with large user bases and weak password policies.

Hybrid Attacks

Hybrid attacks combine dictionary words with brute force permutations. The attacker takes a dictionary word and appends or prepends numbers, symbols, or character substitutions: "password" becomes "Password1!", "p@ssword2024", "password!!!", and so on. This approach is effective against users who meet minimum complexity requirements by making predictable modifications to common words.

What Attackers Target

Brute force attacks are used against a wide range of targets:

  • Web application login forms: The most common target. Attackers focus on admin panels, CMS login pages (WordPress wp-login.php is a frequent target), and user account login forms.
  • SSH and RDP: Internet-exposed SSH and Remote Desktop Protocol services are constantly scanned and attacked. Any server with SSH on port 22 will see thousands of brute force attempts per day.
  • API endpoints: Authentication APIs that accept username/password credentials are targeted with automated credential stuffing tools.
  • Email accounts: SMTP, IMAP, and webmail login interfaces are targeted to gain access to email, which can then be used for password resets on other services.
  • Encrypted files and volumes: Offline brute force attacks against encrypted archives, disk volumes, or password-protected documents.
  • Wi-Fi networks: WPA2 handshake captures can be brute-forced offline to recover Wi-Fi passwords.

Defense Strategies

Rate Limiting

Rate limiting restricts the number of login attempts allowed from a single IP address or for a single account within a given time window. This is the most fundamental defense against online brute force attacks. A web application firewall can enforce rate limits before requests reach the application server, blocking automated attacks at the edge. NOC.org's WAF includes configurable rate limiting rules specifically designed to counter brute force attempts.

Account Lockout Policies

Locking an account after a specified number of failed login attempts (typically 5-10) prevents exhaustive attacks against individual accounts. However, lockout policies must be implemented carefully:

  • Use temporary lockouts (15-30 minutes) rather than permanent locks to avoid denial of service against legitimate users.
  • Implement progressive delays — increase the lockout duration with each successive lockout event.
  • Be aware that attackers can weaponize lockout policies to intentionally lock out legitimate users (a form of denial of service). Combining lockout with CAPTCHA rather than hard lockout mitigates this risk.

CAPTCHA

CAPTCHA challenges verify that a login attempt is being made by a human rather than an automated script. CAPTCHAs are most effective when presented after a threshold of failed attempts rather than on every login, to avoid burdening legitimate users. Modern CAPTCHA systems use risk-based analysis and behavioral signals rather than traditional image-recognition puzzles.

Two-Factor Authentication (2FA)

Two-factor authentication is the single most effective defense against brute force and credential stuffing attacks. Even if the attacker guesses or obtains the correct password, they cannot complete authentication without the second factor — typically a time-based one-time password (TOTP), hardware security key (FIDO2/WebAuthn), or push notification. Organizations should mandate 2FA for all administrative accounts and strongly encourage it for all users.

Strong Password Policies

  • Require a minimum length of 12 characters (NIST SP 800-63B recommends supporting up to 64 characters).
  • Check passwords against known breached password databases (e.g., Have I Been Pwned's API).
  • Encourage passphrases over complex single-word passwords — "correct-horse-battery-staple" is both stronger and more memorable than "P@ssw0rd!".
  • Do not enforce mandatory periodic password rotation, as it leads to predictable increment patterns (Summer2024 becomes Fall2024).

Monitoring and Alerting

  • Log all authentication attempts (successful and failed) with timestamps, source IPs, and user agents.
  • Alert on unusual patterns: spikes in failed logins, logins from new geographic locations, or logins from known malicious IP ranges.
  • Monitor for credential stuffing signatures: high volumes of login attempts with low success rates from distributed IP addresses.

Protect Your Applications from Brute Force

Brute force attacks exploit the weakest link in authentication: predictable human behavior around passwords. A multi-layered defense combining a WAF for rate limiting and bot detection, strong password policies, and mandatory two-factor authentication reduces the risk of unauthorized access to near zero. Explore NOC.org's pricing plans to add application-layer protection to your authentication infrastructure.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started