What Is a Brute-Force Attack?

A guide to trial-and-error hacking attempts

When it comes to cybersecurity, there are many scary terms that can make you fear for the safety of your data. For example, the term brute-force attack sounds intimidating. In reality, it should be called something like a very persistent attack.

Here's a look at what a brute-force attack is, how it works, and how to protect yourself and your data from this threat.

Brute-force attacks are sometimes referred to as dictionary attacks, brute-force cracking, custom hardware attacks, or an exhaustive search.

A hacker in a dark robe conducting a brute-force attack

Brute-Force Attacks Explained

A brute-force attack is an effort to break into a computer system using repeated attempts to force entry. Usually, this means guessing a password by trying different words or combinations of words systematically. This is why brute-force attacks are also commonly called dictionary attacks.

With a brute-force attack, the cybercriminal is betting the target computer or system is secured with a common password or a simple set of words. If the password is simple to guess, it won't take long for the attacker's computer to enter the right password.

Brute-force attacks try to crack passwords, passphrases, usernames, or personal identification numbers (PINs).

How a Brute-Force Attack Works

A brute-force attack usually starts with a gigantic word list. These lists come from many sources, but the most popular ones are lists of common passwords recovered from other hacks. These lists can contain tens or even hundreds of thousands of words.

The attacker then uses a script or program to go through the list, trying each word or a combination of words as the password. They'll do the same with usernames, as well.

Hydra brute force tool on Kali Linux

When a password attempt succeeds, the software reports its success to the hacker. From there, the hacker can sign in normally using the newly discovered username and password.

Depending on how they want to proceed, an attacker can control the number of password-cracking attempts and the timing of these attempts. While it's possible to bombard a server with rapid-fire attempts, that's usually an obvious sign of an attack, and it might crash the system. Instead, an attacker might space out the login attempts to give a more natural appearance in the hopes of going undetected.

After passwords and login credentials have been stolen, the hacker might access the computer or system, sell the credentials to a third party, pose as the user to send phishing links, deface the website, or redirect a site to a malicious site.

Protect Yourself From Brute-Force Attacks

Brute-force attacks are among the simplest possible hacks. Most of the time, these attacks are nothing more than an attacker automating the process of guessing your password using a program to enter these words systematically. As a result, the best way to protect yourself is to choose a secure passphrase.

The word lists attackers employ usually come from commonly used passwords and simple words in the dictionary. Choosing combinations of words in a passphrase, and including one or more less-common words, is a great idea. Throw in numbers and a few special characters to create a strong password.

A passphrase made of three or more words, three numbers, and at least two special characters would be fairly difficult for most brute-force attacks to guess.

QtPass password manager with random password

You can also use password managers to store randomly generated passwords. The more characters in a password, the longer it takes a brute-force attack to guess. Plus, random characters can't be cracked with a dictionary.

Passwords with random characters can be broken with a different kind of brute-force attack that tests different combinations of characters. However, these are less common because these attacks require more computing power.

Some programs can forego passwords in favor of cryptographic keys. These keys are uniquely generated and shared between your computer and the system or server you're logging in to. You can log in automatically with the key, but anyone else is immediately denied.

Finally, you can impose limits on login attempts. There are plenty of ways to do this, depending on the program or system you're trying to secure. Many have options to block login attempts after a certain number of failed ones. Some may automatically block certain IP addresses after a number of failed logins.