# Brute force attack

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/brute-force-attack

## Quick definition

A brute force attack is when someone tries every possible combination of characters to guess a password or encryption key. It is like trying every key on a key ring to open a lock. This method is simple but can take a very long time if the password is long and complex. Attackers often use automated software to speed up the process.

## Simple meaning

Imagine you have a lock on your front door. A brute force attack is like a thief standing at your door with a giant key ring that holds every possible key ever made. The thief tries each key, one by one, until one finally opens the lock. In the computer world, that lock is your password, and the key ring is a special program that generates every possible combination of letters, numbers, and symbols. 

 The program starts with simple guesses like 'a', 'b', 'c', and then moves on to 'aa', 'ab', 'ac', and so on. It keeps going until it finds the exact password you set. If your password is short and simple, like 'cat', the program might find it in seconds. But if your password is long and complex, like 'Tr0ub4dor&3', the program would need to try billions of combinations, which could take years. 

 This is why websites and companies push you to use long, complicated passwords with a mix of different characters. They also add extra protections, like locking you out after a few wrong guesses, to make brute force attacks much harder to pull off. In essence, the longer and more random your password is, the more time and computer power an attacker needs, and the less likely they are to succeed.

## Technical definition

A brute force attack is a cryptographic attack that systematically enumerates all possible candidates for a key or password and checks each one until the correct one is found. It is a direct, exhaustive search method that relies on computational power rather than exploiting any weakness in the algorithm itself. In the context of IT security, this typically targets authentication systems, encrypted files, or hashed password databases. 

 For password authentication, the attacker first obtains a list of usernames, often through a separate data breach or by using common usernames. They then use a tool like Hydra, John the Ripper, or a custom script to submit login attempts repeatedly. Each attempt sends a request to the authentication server, which checks the submitted password against its stored hash. The attacker's tool compares the server's response, often a success or failure message, to know if the password is correct. 

 Modern brute force attacks can be optimized. Distributed brute forcing uses multiple machines to divide the key space, drastically reducing the time needed. Online brute force attacks target live services, attempting logins directly. Offline brute force attacks work on stolen hashed password files; the attacker computes the hash of each guess and compares it to the stored hash. Offline attacks are much faster because there is no network latency or account lockout mechanism. 

 Salting is a critical defense. A salt is a random value added to a password before hashing. This ensures that even if two users have the same password, their hashes are different. Without salt, a precomputed table (rainbow table) of common password hashes can be used to reverse the hashes instantly. Proper salting forces the attacker to brute force each password individually. 

 In wireless security, a brute force attack can be used against WPA/WPA2 handshakes. The attacker captures the four-way handshake, then uses a wordlist or exhaustive search to guess the pre-shared key. The attack's success depends on the complexity of the passphrase and the computational resources available.

## Real-life example

Think of your phone's screen lock. You have a 4-digit PIN. A brute force attack would be like a friend who is determined to unlock your phone while you are in the bathroom. They start by typing 0000. The screen says 'wrong'. They then type 0001. Still wrong. They keep going, 0002, 0003, 0004, and so on. 

 If your PIN is 1234, they would find it after 1234 attempts. That might take ten minutes if they are fast. But if you have set a 6-digit PIN, they would have to try 1,000,000 possible combinations. That would take hours. Most phones now have a feature that disables the phone for a minute after 10 wrong guesses, making a brute force attack completely impractical. 

 This is exactly what happens online. An attacker tries thousands of password guesses per second. The only difference is that the attacker uses a computer program, not their fingers. The program sends login requests automatically and checks if the server says 'success' or 'failure'. Just like your phone's lockout feature, many websites will block an IP address after too many failed attempts. That is why attackers often use a botnet, a network of many computers, to spread out the attempts and avoid detection.

## Why it matters

Brute force attacks matter because they target the most basic form of security: your password. Many security systems rely on the assumption that passwords are secret and hard to guess. A brute force attack directly challenges that assumption. If a password is weak, no amount of encryption or firewall protection can stop a determined attacker. 

 For IT professionals, understanding brute force attacks is essential for implementing proper password policies. Enforcing a minimum length of 12 characters, requiring a mix of character types, and mandating regular password changes help raise the cost of a brute force attack. Account lockout policies, locking an account after 5 failed attempts for 30 minutes, can stop an online brute force attack entirely. 

 Multi-factor authentication (MFA) is the strongest defense. Even if a password is guessed, the attacker still needs a second factor, like a code from your phone. In penetration testing, brute force attacks are used to evaluate the strength of an organization's password policy. Tools like Hydra or Medusa are used to test if common passwords can break into accounts. 

 The rise of cloud computing has made brute force attacks more accessible. Attackers can rent time on powerful GPU clusters to crack hashes offline. For example, a modern GPU can try billions of MD5 hashes per second. This means that even an 8-character password can be cracked in hours if it does not include special characters. For IT teams, this means hashing algorithms must be slow, like bcrypt or Argon2, that take milliseconds per hash, making brute force exponentially slower.

## Why it matters in exams

Brute force attacks are a core topic in the CompTIA Security+ (SY0-601 and SY0-701) exam. They fall under Domain 1.0 (Attacks, Threats, and Vulnerabilities) and specifically under Objective 1.2, which covers different types of attacks. You are expected to know not just what a brute force attack is, but how to differentiate it from other password attacks like dictionary attacks or rainbow table attacks. 

 In the exam, you might be given a scenario where an attacker tries many combinations against a login page. You need to identify that as a brute force attack. Another common question: 'An attacker obtains a list of hashed passwords from a server. They then compute the hash of every word in a dictionary and compare them. What type of attack is this?' That is a dictionary attack, not brute force. The distinction is that brute force tries all combinations, while dictionary attacks only try words from a list. 

 Security+ questions often ask about mitigation strategies. You should know that account lockout, progressive delays, and MFA are effective against online brute force attacks. For offline attacks, salting and slow hashing algorithms (bcrypt, PBKDF2, Argon2) are key. 

 The exam may also present a scenario where an attacker uses a botnet to perform a distributed brute force attack. You need to understand that this evades IP-based lockout because each attempt comes from a different IP. In such cases, geolocation blocking or CAPTCHA can help. 

 For the CEH (Certified Ethical Hacker) exam, brute force attacks are covered under the 'System Hacking' phase. You are expected to know how to use tools like John the Ripper, Hydra, and Cain & Abel. Questions may ask about the time required to crack a password based on its length and character set. For CISSP, brute force attacks relate to the 'Security Architecture and Engineering' domain, focusing on the strength of cryptographic algorithms and key length. 

 In every exam, the key takeaway is that brute force is always possible, but it is a race between the attacker's computing power and the password's entropy. The exam will test whether you know how to make that race as hard as possible for the attacker.

## How it appears in exam questions

Multiple-choice questions often present a short scenario and ask you to identify the attack type. For example: 'An attacker attempts to log in to a user account by trying every possible combination of uppercase and lowercase letters, numbers, and symbols until the correct password is found. Which type of attack is this?' The correct answer is brute force attack. The distractor answers might include 'dictionary attack,' 'rainbow table attack,' or 'birthday attack.' 

 Another common pattern is a scenario where an attacker has captured a list of hashed passwords. The question asks which technique would be most efficient to crack them. If the hashes are unsalted, a rainbow table attack might be the answer. If the hashes are salted, brute force or dictionary attack is needed. You need to read carefully whether the attacker is using a wordlist (dictionary) or generating all combinations (brute force). 

 Performance-based questions (PBQs) are also possible. For example, you might be given a network diagram and logs showing multiple failed login attempts from different source IPs to the same account. You might be asked to select the most effective mitigation. Options could include: enable account lockout, implement IP whitelisting, deploy a WAF rule to block repeated attempts, or increase password complexity. The best answer would be enabling account lockout, but you must also consider that distributed attacks bypass IP-based blocking. 

 Troubleshooting-style questions may ask: 'After implementing a password policy requiring 12-character passwords, users report that logins take unusually long. What is the most likely cause?' The answer might be that the server is using a slow hashing algorithm like bcrypt with a high work factor, and the increased length is making each login attempt computationally heavy. This is not a bug but a feature. 

 Scenario-based questions might describe a small business that uses a standard router with default credentials. An attacker performs a brute force attack on the router's admin page because the credentials are weak. You need to identify the vulnerability (default credentials) and the attack (brute force). 

 Always remember: if the question mentions 'all possible combinations,' it is brute force. If it mentions 'common words,' it is dictionary. If it mentions 'precomputed hashes,' it is rainbow table.

## Example scenario

You are a security analyst for a mid-sized company. One morning, the helpdesk receives multiple reports from employees saying they cannot access their email because their accounts are locked. You check the authentication logs and see hundreds of failed login attempts for several user accounts over the past hour. The attempts all come from a single IP address, and the passwords tried include random combinations like 'a1b2c3', 'd4e5f6', and 'g7h8i9'. 

 You quickly realize this is an online brute force attack. The attacker is using a script to try every possible 6-character combination against the company's Outlook Web Access (OWA) portal. You notice that the account lockout policy is set to 5 failed attempts before locking for 30 minutes. This has actually helped, it slowed the attacker down and alerted you because many accounts became locked. 

 Your next step is to block the attacker's IP address at the firewall. You also enable CAPTCHA on the OWA login page to prevent automated scripts. Finally, you advise the helpdesk to unlock the locked accounts after verifying the users' identities. You also send a company-wide reminder to use strong, unique passwords and enable multi-factor authentication. 

 This scenario shows how a brute force attack looks in the real world. The attacker did not use any fancy exploit; they just tried many passwords. The defense was a combination of lockout policies, monitoring, and blocking. If the company had MFA enabled, the attacker would have failed even if they guessed the password, because they would still need the second factor.

## Common mistakes

- **Mistake:** Thinking a brute force attack only works on passwords
  - Why it is wrong: Brute force can be used against encryption keys, PINs, API tokens, and even SSH keys.
  - Fix: Understand that brute force is a general method for finding any secret value by trying all possibilities.
- **Mistake:** Confusing brute force with a dictionary attack
  - Why it is wrong: A dictionary attack uses a list of common words, while brute force generates all combinations of characters.
  - Fix: If the attack uses a wordlist, it is a dictionary attack. If it generates random strings systematically, it is brute force.
- **Mistake:** Believing that a strong password alone is enough to stop brute force
  - Why it is wrong: Online brute force can be stopped by account lockout and MFA regardless of password strength.
  - Fix: Always combine strong passwords with other defenses like lockout and MFA.
- **Mistake:** Assuming that offline brute force is impossible if the password is hashed
  - Why it is wrong: Hashes can be cracked if the hash algorithm is fast and the password is weak.
  - Fix: Use slow hashing algorithms like bcrypt with a high work factor and ensure salts are used.
- **Mistake:** Thinking that a longer password is always better regardless of complexity
  - Why it is wrong: A very long password with only lowercase letters still has lower entropy than a shorter password with special characters.
  - Fix: Password length is important but must be combined with a broad character set for maximum entropy.

## Exam trap

{"trap":"The question describes an attacker who 'tries every possible password from a list of common passwords.' Some learners will call this a brute force attack.","why_learners_choose_it":"Because they think any trial-and-error password guessing is brute force. They overlook the word 'list' which indicates a predefined set.","how_to_avoid_it":"If the question says 'list of common passwords' or 'dictionary', it is a dictionary attack. Brute force is only when the attacker generates all combinations, not just common ones."}

## Commonly confused with

- **Brute force attack vs Dictionary attack:** A dictionary attack uses a precompiled list of likely passwords (words, common phrases), while a brute force attack generates every possible combination of characters. Dictionary attacks are faster but less thorough. (Example: Trying 'password', '123456', and 'qwerty' is a dictionary attack. Trying 'aaaaaa', 'aaaaab', 'aaaaac' is brute force.)
- **Brute force attack vs Rainbow table attack:** A rainbow table attack uses precomputed hash chains to reverse a hash quickly, without guessing the password. Brute force computes the hash for each guess in real time. Rainbow tables require storage but are much faster against unsalted hashes. (Example: If you have a hash and a rainbow table, you can look up the password instantly. Without the table, you would have to guess and hash until you find a match.)
- **Brute force attack vs Keylogger attack:** A keylogger captures keystrokes directly as the user types, so the attacker gets the password without any guessing. Brute force does not require any prior knowledge or user interaction. (Example: A keylogger records you typing 'P@ssword!' and sends it to the attacker. Brute force would try 'P@ssword!' after millions of other attempts.)

## Step-by-step breakdown

1. **Identify the target** — The attacker selects a system to attack, such as a web login page, an SSH server, or a hashed password file. They also decide what to target: a specific user, a list of users, or a service account.
2. **Choose the attack type** — The attacker decides between online (live service) or offline (stolen hash). This affects the tools and speed. Online attacks are slower due to network latency and lockouts, offline can run at full CPU/GPU speed.
3. **Select the character set and length** — The attacker defines the alphabet (lowercase, uppercase, digits, symbols) and the minimum and maximum password length. Larger alphabets and longer lengths increase the search space exponentially.
4. **Begin the enumeration** — The tool starts generating the first combination and submits it as the password. For online attacks, it sends an HTTP request or SSH login packet. For offline, it computes the hash of the guess and compares it to the target hash.
5. **Check the response** — The tool examines the response. For online, it looks for a success message, a different HTTP status code, or a redirect. For offline, it checks if the computed hash matches the stored hash. If match, the password is found.
6. **Iterate and accelerate** — If the guess is wrong, the tool moves to the next combination. It may use multithreading, distributed nodes, or GPU acceleration to try billions of combinations per second. The process continues until the password is found or the search space is exhausted.
7. **Extract the password** — Once the correct combination is found, the attacker records it. They can then use this password to log in as the victim, escalate privileges, or access sensitive data.

## Practical mini-lesson

A brute force attack is one of the oldest and most straightforward methods in an attacker's toolkit. It relies on the fact that every secret, whether it is a password, a key, or a PIN, can be represented as a finite string of characters. Given enough time and computational power, an attacker can try every possible string until the correct one is found. 

 In practice, a security professional needs to understand the difference between online and offline brute force. Online brute force is what you see against web applications. You can defend against it by using account lockout policies, progressive delays, CAPTCHA, and rate limiting. For example, an ASP.NET application can be configured to lock an account after 5 failed attempts for 15 minutes. Many organizations also log failed attempts and use a SIEM to alert on brute force patterns. 

 Offline brute force is more dangerous because it is not limited by network speed. When an attacker gains access to a database of password hashes, they can crack them at their own pace. This is why proper password storage is critical. The industry standard is to use a slow, salted hashing algorithm. Bcrypt is one of the most common; it includes a work factor that increases the time required to compute a single hash. For example, a work factor of 12 means that a single bcrypt hash takes about 250 milliseconds on modern hardware. That is slow enough to make brute forcing a strong password infeasible, but fast enough for a legitimate login. 

 What can go wrong? Misconfiguration is common. Some organizations disable account lockout to avoid user inconvenience, leaving the door open for brute force. Others use unsalted MD5 or SHA-1 for password storage, which makes offline cracking trivial. Another mistake is using the same password for multiple services; if one service is cracked, all others are exposed. 

 For penetration testers, brute force is often used as a last resort. Before resorting to brute force, testers will try default credentials, passwords from previous breaches, and social engineering. If those fail, they may launch a targeted brute force with a custom wordlist built from the target's social media profiles. 

 In a professional context, you should always test your own systems for brute force vulnerability. Simple tools like Hydra can be used to run a controlled test against your own login page. If Hydra can guess a password in under a minute, your password policy is too weak. You can also use tools like Hashcat to test the strength of your hashed passwords by attempting to crack them with a wordlist. 

 The key lesson: brute force attacks are always possible, but they are a time-versus- entropy game. As a security professional, your job is to make that time so long that the attacker gives up before they find the password.

## Memory tip

Brute force = Just force. Think of a brute forcing a door open with sheer physical power, no finesse, just raw effort.

## FAQ

**Can a brute force attack be detected?**

Yes, by monitoring logs for multiple failed login attempts from the same IP or many different IPs. A SIEM can alert on such patterns.

**Is a brute force attack illegal?**

Yes, unless you have explicit written permission from the system owner. Performing a brute force attack against a system you do not own is a criminal offense in most countries.

**What is the difference between online and offline brute force?**

Online brute force targets a live service and is limited by network speed and lockout policies. Offline brute force works on stolen password hashes and can run at full hardware speed.

**How long does it take to brute force a password?**

It depends on length and complexity. A 6-character lowercase password can be cracked in seconds. A 12-character password with symbols can take centuries with current hardware.

**Does multi-factor authentication stop brute force attacks?**

Yes, because even if the password is guessed, the attacker still needs the second factor, which they typically do not have.

**What tools do attackers use for brute force?**

Common tools include Hydra, Medusa, John the Ripper, Hashcat, and custom scripts. These are also used by security professionals for authorized testing.

## Summary

A brute force attack is a straightforward but powerful method where an attacker tries every possible combination of characters to guess a password or encryption key. It is a fundamental concept in cybersecurity because it targets the weakest link in many systems: the password. The success of a brute force attack depends entirely on the randomness and length of the secret. Short or predictable secrets can be cracked in seconds, while long, complex secrets can remain secure for centuries. 

 For IT professionals, defending against brute force attacks requires a layered approach. Online attacks are mitigated by account lockout, rate limiting, CAPTCHA, and multi-factor authentication. Offline attacks are mitigated by using slow, salted hashing algorithms like bcrypt, Argon2, or PBKDF2. It is also crucial to enforce strong password policies and regularly audit password strength. 

 In the context of certification exams like Security+, CEH, and CISSP, understanding brute force attacks is essential. You need to distinguish it from dictionary and rainbow table attacks, know the appropriate defenses, and recognize it in scenario-based questions. The exam will test your ability to choose the right mitigation based on the attack type. Remember: brute force is always possible, but with proper defenses, you can make it impractical. That is the exam takeaway.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/brute-force-attack
