TL;DR
A brute force attack tries to guess passwords by attempting many combinations. Attackers use automated tools to try common passwords, leaked credentials, and systematic combinations. Defend with rate limiting (slow down attempts), account lockout, CAPTCHA, MFA, and strong password requirements. Rate limiting is the most effective defense for online attacks.
The Simple Explanation
If you try enough passwords, eventually you will guess the right one. Brute force attacks automate this process, trying thousands or millions of passwords per second. They start with common passwords (password123, qwerty) and move to systematic combinations. Without defenses, weak passwords fall quickly.
Attack Types
| Type | Method | Speed |
|---|---|---|
| Pure brute force | Every combination | Slowest |
| Dictionary | Common passwords | Fast |
| Hybrid | Dictionary + variations | Medium |
| Credential stuffing | Leaked passwords | Very fast |
| Reverse brute force | One password, many users | Fast |
Online vs Offline Attacks
Online attacks:
- Against live login pages
- Limited by network speed
- Detectable and blockable
- Rate limiting is effective
Offline attacks:
- Against stolen password hashes
- Limited only by compute power
- No detection possible
- Proper hashing is the defense
Defense Strategies
- Rate limiting: Limit login attempts per IP/account
- Account lockout: Temporary lock after failures
- CAPTCHA: Block automated attempts
- MFA: Password alone is not enough
- Password requirements: Enforce length and complexity
- Monitoring: Alert on unusual patterns
Account lockout can backfire. Attackers can lock out legitimate users by intentionally failing login attempts. Use temporary lockouts, progressive delays, or CAPTCHA instead of permanent locks.
Password Strength
- 4 characters: Seconds to crack
- 8 characters: Hours to days
- 12+ characters: Years to centuries
- Passphrase: Practically uncrackable
What is the difference between brute force and dictionary attacks?
Pure brute force tries every possible combination (aaaa, aaab, aaac...). Dictionary attacks use wordlists of common passwords, leaked passwords, and variations. Dictionary attacks are faster because they try likely passwords first. Most real attacks combine both approaches.
How do I protect against brute force attacks?
Implement rate limiting to slow down attempts, account lockout after failed attempts (with care to prevent denial of service), CAPTCHA after suspicious activity, multi-factor authentication, and password complexity requirements. Monitor for unusual login patterns.
How long does a brute force attack take?
It depends on password length and complexity. A 4-character lowercase password can be cracked in seconds. An 8-character mixed-case with numbers takes much longer. A 12+ character passphrase with symbols could take years. Rate limiting makes online attacks impractical regardless of password strength.