Brute Force Attack
What is Brute Force Attack?
Brute Force AttackAn attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found.
Brute force attacks exhaust a candidate space by trial. Online variants hammer authentication endpoints with guesses, while offline variants run against stolen hashes using GPUs, FPGAs, or rented cloud compute. The feasibility depends on the size of the keyspace, the work factor of any password-hashing algorithm (Argon2, bcrypt, scrypt, PBKDF2), and operational controls like rate limiting and account lockout. Defences include strong, unique credentials, salted memory-hard hashing, MFA, exponential back-off, IP/device throttling, web-application firewalls, and monitoring for anomalous authentication patterns. Cryptographic keys should use sufficiently large sizes (e.g. 256-bit symmetric, 3072-bit RSA or equivalent ECC).
● Examples
- 01
Hashcat cracking leaked NTLM hashes at billions of guesses per second.
- 02
An attacker hammering an exposed RDP server with common admin passwords.
● Frequently asked questions
What is Brute Force Attack?
An attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found. It belongs to the Attacks & Threats category of cybersecurity.
What does Brute Force Attack mean?
An attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found.
How do you defend against Brute Force Attack?
Defences for Brute Force Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Brute Force Attack?
Common alternative names include: Exhaustive search.