What is a Brute Force Attack?
A brute force attack is a hacking method where an attacker systematically tries every possible combination of a password or encryption key until the correct one is found.
It’s called “brute force” because it relies on sheer computing power, not clever techniques. Given enough time and resources, any password can theoretically be cracked this way — which is why password length and complexity matter so much.
How Brute Force Attacks Work
Here’s how a typical brute force attack works:
Step 1
The attacker targets a system or account.
Step 2
The tool generates and tries a combination.
Step 3
The system checks if the combination is correct.
Step 4
If correct, access is granted.
Without any rate limiting or lockout mechanism, an attacker can run this fully automated and walk away while the computer does the work.
Types of Brute Force Attacks
Attackers use different brute force methods depending on the target.
Simple Brute Force
Tries every possible combination one by one. Slowest but most thorough.
Dictionary Attack
Uses a list of common passwords and words. Fast but misses random passwords.
Hybrid Attack
Combines dictionary words with numbers/symbols (e.g. sunshine1, password!2).
Reverse Brute Force
Uses a known common password and tries it against millions of usernames.
Brute Force Attack Example
Say a password is 4 characters long using only lowercase letters (a–z). That’s 26⁴ = 456,976 possible combinations.
| Attempt | Password Tried | Result |
|---|---|---|
| 1 | aaaa | Incorrect |
| 2 | aaab | Incorrect |
| … | … | … |
| 456,976 | zzzz | Incorrect |
| 456,977 | (correct) | ✅ Success |
Add uppercase + numbers + symbols and the space grows to 94⁴ = 78,074,896 combinations — but even that falls in under a second. This is why length matters far more than character variety alone.
How Long Does a Brute Force Attack Take?
| Password Strength | Example | Time to Crack |
|---|---|---|
| 4 chars, lowercase | abcd | ⚠️ Less than 1 second |
| 8 chars, mixed | Abc@1234 | ⚠️ ~2 minutes |
| 12 chars, mixed | Abc@12345678 | ✅ ~3 weeks |
| 16 chars, mixed | Abc@1234567890Ab | ✅ 200+ years |
These estimates assume a modern GPU setup. Slower systems (like most online login forms with rate limiting) would take far longer.
How to Protect Yourself
- Use long passwords — 16+ characters is the modern baseline
- Include all character types — multiplies the search space exponentially
- Enable Two-Factor Authentication — even a correct password is useless without the second factor
- Use a password manager — generates and stores random passwords
- Never use passwords from common 'top 10,000' lists — tried first in dictionary attacks
- Never reuse passwords across services — credential stuffing exploits reuse
- Never rely on length alone without character variety
- Never use publicly known personal info (birthday, name, phone)
Real-World Examples
- 2009
RockYou breach — 32M plaintext passwords leaked
Exposed how common passwords like '123456' and 'password' were globally.
- 2012
LinkedIn — 117M hashes stolen and cracked
Many were simple enough to crack in seconds using offline brute force.
- ongoing
SSH servers — thousands of attempts daily
Internet-facing servers receive automated brute force login attempts continuously.
These are not edge cases — brute force is one of the most common attack methods because it requires no skill, just computation.