What Is a Brute Force Attack?

A guide to trial-and-error hacking attempts

Lock graphic over a background of code.


When it comes to cybersecurity, a lot of terms get kicked around, and most of them don’t make much sense until you know what they are. If you’ve heard the term “Brute force attack,” it might sound much more intimidating than it actually is.

Brute Force Attacks Explained

A brute force attack is any attempt to break into a computer system using repeated attempts to force entry. Usually, this means trying to “guess” a password by repeatedly trying different words or combinations of words. That’s why brute force attacks are also commonly called “Dictionary attacks.”


With a brute force attack, the attacker is betting the target computer or system is secured with a common password or a simple set of words. If the password is simple to guess, it won’t take long for the attacker’s computer to enter the right password.

How a Brute Force Attack Works

A brute force attack usually starts with a gigantic word list. These lists come from a bunch of sources, but the most common ones are lists of common passwords recovered from other hacks. These lists can have tens or even hundreds of thousands of words in them.

The attacker will then use a program to go through the list, trying each word or a combination of them as the password. They’ll do the same with usernames, too.

Hydra brute force tool on Kali Linux

When one succeeds, the software will report back to the hacker that it worked. From there, they can sign in normally using the discovered username and password.

Depending on how they want to go about it, an attacker can control the number of attempts and timing. While it’s entirely possible to bombard a server with rapid-fire attempts, that’s usually an obvious sign of an attack, and it might even crash the system. Instead, an attacker might space out the login attempts to give a more natural appearance, in the hopes of going undetected.

Protecting Yourself From Brute Force Attacks

Brute force attacks are among the simplest possible hacks. Most of the time, they’re nothing more than an attacker automating the process of guessing your password using a program to automatically enter guesses. As a result, the best way to protect yourself is to choose a secure passphrase.

Remember the word lists attackers use usually come from commonly used passwords and simple words straight out of the dictionary. Choosing combinations of words in a phrase and including one or more less common words is a great idea. Throw in numbers and a few special characters to really bring it to a strong standard.

A passphrase made of three or more words, three more numbers, and at least two special characters would be fairly difficult for most brute force attacks to guess.

QtPass password manager with random password

You can also use password managers to store randomly generated passwords. The more characters in your password, the longer it would take a brute force attack to guess. Plus, random characters can’t be cracked with a dictionary.

Passwords with random characters can be broken with a different kind of brute force attack that actually tests different combinations of characters. However, these are less common, because they require much more computing power to run.

Some programs can forego passwords altogether in favor of cryptographic keys. These keys are uniquely generated and shared between your computer and the system or server you’re logging into. You can log in automatically with the key, but anyone else is immediately denied.

Finally, you can impose limits on login attempts. There are plenty of ways to do this, depending on the program or system you’re trying to secure, but many have options to block login attempts after a certain number of failed ones. Some may even have the option to automatically block certain IP addresses after a number of failed logins.