Authentication & Password

Brute Force Attack

About 4 min read

Last updated: 2026-01-28

What Is a Brute Force Attack

A brute force attack is an attack method that tries every possible combination of passwords or encryption keys one by one to find the correct one. True to its name ("brute force"), it's a primitive but reliable method that relies on computational power rather than intelligent guessing.

In theory, any password can be cracked given enough time and computing resources, but the time required increases exponentially with password length and complexity. With modern GPUs, an 8-character alphanumeric password can be cracked in hours, but random passwords of 12 or more characters are impractical to crack within a realistic timeframe.

Password Length and Estimated Cracking Times

Here are estimated cracking times based on password character set and length (estimates using modern GPU clusters).

  • 6 characters (lowercase only): Within seconds
  • 8 characters (upper + lowercase + digits): About 1 hour
  • 8 characters (upper + lowercase + digits + symbols): About 8 hours
  • 10 characters (upper + lowercase + digits + symbols): About 5 years
  • 12 characters (upper + lowercase + digits + symbols): About 34,000 years
  • 16 characters (upper + lowercase + digits + symbols): Virtually impossible to crack

These figures are for pure brute force. When combined with dictionary attacks or rule-based attacks, words found in dictionaries and common patterns (appending numbers, capitalizing the first letter, etc.) are cracked orders of magnitude faster. Using random strings generated by a password manager is the best defense.

Brute Force Variants

Beyond pure brute force, there are more efficient variant techniques.

  • Dictionary Attack: Prioritizes trying dictionary words and commonly used passwords. Frequently used passwords like "password," "123456," and "qwerty" are cracked instantly
  • Rule-Based Attack: Applies transformation rules to dictionary words (capitalize first letter, append numbers, replace l with 1, etc.). Effective against patterns like "Password1" or "p@ssw0rd"
  • Rainbow Table Attack: Uses pre-computed hash tables to reverse-lookup passwords from hash values. Ineffective against hashes that use salt (random additional data)
  • Reverse Brute Force: Tries a single password (e.g., "123456") against a large number of accounts. Similar to credential stuffing but uses guessed passwords rather than leaked data

Effective Defenses

Defense against brute force attacks requires measures on both the user and system sides.

User Side

  • Random Passwords of 12+ Characters: Use random strings including upper and lowercase letters, digits, and symbols generated by a password manager
  • Enable Two-Factor Authentication: Even if a password is cracked, the second authentication factor can block unauthorized login
  • Use Passphrases: A passphrase combining 4-5 random words (e.g., "correct horse battery staple") is easy to remember while ensuring sufficient length

System Side

  • Account Lockout: Temporarily lock accounts after a certain number of failed login attempts. However, since this can be exploited for DoS attacks, a design that progressively extends lockout duration is preferable
  • Rate Limiting: Limit login attempts per IP address or session
  • CAPTCHA: Display CAPTCHA after multiple failures to suppress automated tool attempts
  • Proper Hash Algorithms: Use hash functions with intentionally high computational cost like bcrypt, scrypt, or Argon2 to slow down offline cracking
  • WAF Implementation: Detect and block abnormal login patterns with a Web Application Firewall

To learn more about this topic, see Password Security: How to Create Strong Passwords and Manage Them.

Common Misconceptions

A complex password is safe even if it's short
Even an 8-character password with symbols can be cracked in hours with modern GPU clusters. Password strength depends most on length, with 12+ characters recommended. A long random password is safer than a short complex one.
Brute force attacks are outdated and not a realistic threat
GPU performance improvements make brute force execution faster every year. Additionally, offline brute force against leaked password hashes is unaffected by rate limiting or account lockout, making it still a serious threat.
Share

Related Terms

Credential Stuffing An automated attack that takes leaked username and password combinations from pa… Password Manager A tool that generates, securely stores, and auto-fills complex, unique passwords… Two-Factor Authentication (2FA) A security method that requires an additional authentication factor beyond a pas… WAF (Web Application Firewall) A security solution that monitors, filters, and blocks malicious HTTP/HTTPS traf… HSTS (HTTP Strict Transport Security) A security mechanism where a web server sends a response header instructing the … Hash Function A one-way function that converts arbitrary-length data into a fixed-length hash …

Related Articles

Password Security: How to Create Strong Passwords and Manage Them Learn what makes a strong password, how to use password managers, how to check for breaches, and com… Credential Stuffing Attacks: The Danger of Password Reuse Learn how credential stuffing attacks exploit leaked credentials and practical measures to protect y… Why Passwords Require Uppercase and Symbols - And Why It Barely Helps Trace the origin of password complexity rules to a 2003 NIST document, the author's own admission th…
← Glossary