What Is a Brute-Force Attack?

A guide to trial-and-error hacking attempts

When it comes to cybersecurity, there are many scary terms that can make you fear for the safety of your data. For example, the term "brute-force attack" sounds incredibly intimidating. In reality, it should be called something like a "very persistent attack."

Here's a look at what a brute-force attack is, how they work, and how to protect yourself and your data from this threat.

Brute-force attacks are sometimes referred to as dictionary attacks, brute-force cracking, custom hardware attacks, or an exhaustive search.

Illustration of a hacker in a dark robe conducting a brute-force attack

Brute-Force Attacks Explained

A brute-force attack is an effort to break into a computer system using repeated attempts to force entry. Usually, this means trying to "guess" a password by trying different words or combinations of words systematically. This is why brute-force attacks are also commonly called "dictionary attacks."

With a brute-force attack, the cybercriminal is betting the target computer or system is secured with a common password or a simple set of words. If the password is simple to guess, it won't take long for the attacker's computer to enter the right password.

Brute-force attacks try to crack passwords, passphrases, usernames, or personal identification numbers (PINs).

How a Brute-Force Attack Works

A brute-force attack usually starts with a gigantic word list. These lists come from many sources, but the most popular ones are lists of common passwords recovered from other hacks. These lists can have tens or even hundreds of thousands of words in them.

The attacker will then use a script or program to go through the list, trying each word or a combination of words as the password. They'll do the same with usernames, as well.

Hydra brute force tool on Kali Linux

When a password attempt succeeds, the software will report its success back to the hacker. From there, the hacker can sign in normally using the newly discovered username and password.

Depending on how they want to proceed, an attacker can control the number of password-cracking attempts and their timing. While it's entirely possible to bombard a server with rapid-fire attempts, that's usually an obvious sign of an attack, and it might even crash the system. Instead, an attacker might space out the login attempts to give a more natural appearance, in the hopes of going undetected.

After passwords and login credentials have been stolen, the hacker might directly access the computer or system, sell the credentials to a third party, pose as the user to send phishing links, deface the website, or redirect a site to a malicious site.

Protecting Yourself From Brute-Force Attacks

Brute-force attacks are among the simplest possible hacks. Most of the time, they're nothing more than an attacker automating the process of guessing your password using a program to enter these words systematically. As a result, the best way to protect yourself is to choose a secure passphrase.

The word lists attackers employ usually come from commonly used passwords and simple words straight out of the dictionary. Choosing combinations of words in a passphrase, and including one or more less common words, is a great idea. Throw in numbers and a few special characters to really create a strong standard.

A passphrase made of three or more words, three more numbers, and at least two special characters would be fairly difficult for most brute-force attacks to guess.

QtPass password manager with random password

You can also use password managers to store randomly generated passwords. The more characters in your password, the longer it will take a brute-force attack to guess. Plus, random characters can't be cracked with a dictionary.

Passwords with random characters can be broken with a different kind of brute-force attack that actually tests different combinations of characters. However, these are less common, because they require much more computing power.

Some programs can forego passwords altogether in favor of cryptographic keys. These keys are uniquely generated and shared between your computer and the system or server you're logging into. You can log in automatically with the key, but anyone else is immediately denied.

Finally, you can impose limits on login attempts. There are plenty of ways to do this, depending on the program or system you're trying to secure, but many have options to block login attempts after a certain number of failed ones. Some may even have the option to automatically block certain IP addresses after a number of failed logins.