What is a Brute Force Attack?

A brute force attack is a type of cyber attack that uses software to “guess” credentials. Through trial and error, brute force attackers input dictionary words, phrases, commonly used passwords or specific letter and number combinations until they find a match. Brute force attacks are surprisingly effective given that 56% of people reuse passwords. Reusing passwords is a dangerous and common practice, as all it takes is the compromise of one reused password to expose an entire system or group of credentials.

Types of Brute Force Attacks

Simple brute force attacks

Simple brute force attacks

Simple brute force attacks use trial and error to try different combinations to guess login credentials. The attacker will use a high-powered computer to try every letter, number and symbol combination they can. While this may seem inefficient, some computers can process trillions of combinations at once.

Dictionary attacks

Dictionary attacks

Dictionary attacks leverage simple dictionary words or phrases to crack user credentials. It’s advisable to use no words or phrases you can find in a dictionary, because a dictionary brute force attack may pick up on them and crack the password.

Hybrid brute force attacks

Hybrid brute force attacks

Using external logic, an attacker uses software to guess which passwords will have the most success and then uses brute force to apply every combination.

Reverse brute force attacks

Reverse brute force attacks

This method depends on well-known passwords. Lists of common passwords are easy to find online. Here's a list of 10,000. A reverse brute force attack uses a list like this to input these common passwords into multiple accounts, hoping for a match.

Credential Stuffing

Credential Stuffing

Credential stuffing is one of the most effective brute force methods. Lists with previously breached passwords can be bought on the dark web, and cybercriminals use them to “stuff” credentials into dozens of websites to see if there’s a match.

Often, users don’t change passwords on all of their accounts, even if they’ve been previously breached.

How To Prevent Brute Force Attacks

Ensure your passwords are strong and unique

By ensuring that you use strong, unique passwords for all your accounts, you’re making it more difficult for a cybercriminal to guess your passwords. Make sure you’re always using complex passwords that include letters, numbers and symbols and are at least 16 characters long. The more long and complex a password is, the better.

You can use a password generator tool to help you generate strong, unique passwords for all of your accounts.

Remove inactive accounts

When an employee exits a company, it’s important to remove their account entirely to avoid unauthorized logins. Even if an employee’s account is deactivated, it still acts as a potential point of entry for cybercriminals. Inactive accounts should be terminated as soon as possible and their credentials wiped from the system.

Limit login attempts

Brute force attacks depend on multiple login attempts. Brute force hacking is much less effective when it can only make a limited number of attempts. Three login attempts is a good starting point. It’s enough to leave room for someone who’s genuinely mistaken their login information and low enough to lock out potential threat actors before they guess the password. After three failed attempts, lock the account entirely and require a system administrator to restore access after verifying the user’s identity.

Enable MFA on accounts

Multi-Factor Authentication (MFA) can be the saving grace in a brute force attack. When a password is used from a strange or unrecognized device, it triggers an extra authentication step. This can involve a text or email verification link, a biometric challenge or some other method. This adds an extra layer of protection to your accounts.

Throttle logins

You can also slow down login attempts, requiring a countdown between failed logins. Combined with a login limit, this method can stop a brute force attack after three tries and limits how quickly the cybercriminal can input information. This helps signal the administrator of suspicious activity as well.

Use automated tools

You can prevent brute force attacks with sophisticated automated tools. Businesses are already taking on brute force attacks and other malware threats using these tools. As threat detection becomes more sophisticated, it is increasingly using AI technology to detect, prevent and remove threats before they can cause damage.

Bot protection can help monitor web traffic for suspicious activity and lock out users when an attack is suspected. Bots can also predict suspicious activity such as multiple login attempts and alert the victim before an attack is completed.

Brute force attacks are simple, but often effective, especially if the individual or business doesn't have the right protections in place.

Stay Clear of Brute Force Attacks With a Password Manager

Password managers like Keeper® can help prevent brute force attacks by aiding users in generating strong passwords and securely storing them. Users will no longer have to rely on themselves to create their passwords, which means no more weak or repeated passwords being used for online accounts.

Password managers aid both individuals and businesses in securing their online accounts – see for yourself by starting a free trial.

English (UK) Call Us