brute force attack

A brute force attack is not high-level cyberespionage. A hacker guesses the password to an account until s/he finds the right one. This trial and error-style approach is surprisingly effective. As with all cybersecurity vulnerability, understanding the way brute force attacks work can help you avoid getting got by one. 

Here are the main forms of brute force attack. 

    1. Simple brute force attacks: Trying random combinations of numbers, letters and symbols may seem like a daunting task, but a computer can easily try tens of thousands of combinations per second. Password cracking tools are programmed to run until they hit a match–and they are available for free online.

      This approach is defensible. Depending on the length and complexity of the password, a password cracking tool could take anywhere from seconds to years to gain access. Hackers target an organization’s password rules to narrow down the possibilities: For instance, if a password needs to be six characters and include at least one number, that narrows the search.

      This is the reason many websites and apps require a mixture of capital and lowercase letters, special characters, and numbers: it takes significantly longer for simple brute force attacks to find the correct password when there are more possible combinations.
    2. Dictionary attacks: A more sophisticated version of a brute force attack, the password cracking program uses known words, phrases and common passwords to access an account rather than possible symbol combination.

      It is effective because so many users practice poor password hygiene: “password,” “asd123”, “qwerty” etc.
      The lesson: Don’t use passwords that make this possible.

    3. Hybrid brute force attacks: Although the most commonly used and breached passwords are pretty straightforward (123456 has been the most popular for several years), slightly more security-minded people will often add a few numbers or characters at the end or beginning of a password.

      While “password497?” would take a little longer for a simple brute force attack to find than “password” and the “497?” at the end would be enough to block some dictionary attacks, hackers and password cracking programs often combine these approached to conduct a hybrid brute force attack. This method combines dictionary terms with random characters, e.g. “password1”, “password2”, “password3” until it finds a match.

How to Protect Against Brute Force Attacks

There’s no silver bullet for cybersecurity. The best defense is to make yourself a more difficult target for hackers. 

The following best practices may help protect your accounts:

      • Use unique and hard-to-guess passwords: The brute force method relies on sloppy password security. A recent article from NordVPN on the most common passwords of 2020 illustrates this: “123456” (used in more than 23 million breaches) takes less than a second to crack. “qqww1122” (122,000 breaches) takes 52 minutes. Go for something long, easy to remember and completely unrelated to the names of your pets, kids, parents, street addresses, favorite sports teams, etc. 
      • Enable 2-factor authentication: 2-factor authentication, or 2FA is adds an extra layer of security. Typically, your login in and password will trigger a text message or email that provides a numerical code needed to complete the login process. This isn’t foolproof, but it does mean that a leaked or compromised password can’t be used as a skeleton key to accounts with 2FA enabled.
      • Vet your technology providers: Network and systems administrators can effectively block brute force attacks with simple settings that are not always in place. Before you start trusting an online app or service with your personal information, find out how they support users who have been breached. It’s also important to learn if they have been breached recently, and if they offer 2-factor authentication. 


      1. Brute force attacks are common and rely on bad password management. 
      2. You may be able to avoid getting hacked by a brute force attack by enabling two-factor authentication, and by choosing unique, hard-to-guess passwords.