What Are Brute Force Attacks and How Can You Protect Yourself?

Dann Albright 02-05-2016

If you read our security articles on a regular basis — like this one about testing your password strength Test Your Password Strength with the Same Tool Hackers Use Is your password secure? Tools that assess your password strength have poor accuracy, meaning that the only way to really test your passwords is to try to break them. Let's look at how. Read More — you’ve probably heard the phrase “brute force attack.” But what, exactly, does that mean? How does it work? And how can you protect yourself against it? Here’s what you need to know.


Brute Force Attacks: The Basics

When it comes down to it, a brute force attack is really simple: a computer program tries to guess a password or an encryption key by iterating through all possible combinations of a certain number of characters. For example, let’s say you wrote an app that tried to brute force a four-number iPhone password. It might guess 1111, then 1112, then 1113, 1114, 1115, and so on until it got to 9999.


The same principle can be applied with more complicated passwords. A brute force algorithm might start with aaaaaa, aaaaab, aaaaaac, then proceed to things like aabaa1, aabaa2, aabaa3, and so on, through all of the six-character combinations of number and letters down to zzzzzz, zzzzz1, and beyond.

There’s also a technique known as the reverse brute force attack, in which one password is tried against many different usernames. This is less common and more difficult to successfully use, but it does get around some common countermeasures.

As you can see, this is a rather inelegant way to guess a password. However, theoretically, if you had enough computing power and enough energy, you could guess any password. But if you’re using anything other than a short, simple password, you don’t have anything to worry about, as the amount of computing power it would take to guess a longer password would require a huge amount of energy and could take years to complete.


Advanced Brute Force Attacks

Because brute force attacks on anything but very simple passwords are woefully inefficient and time-consuming, hackers have come up with some tools that make them more effective.

A dictionary attack, for example, doesn’t just iterate through all of the possible combinations of characters; it uses words, numbers, or strings of characters from a pre-compiled list that the hacker deems to be at least somewhat more likely than average to show up in a password (this is the kind of attack you can run with fairly simple network penetration testing software How To Test Your Home Network Security With Free Hacking Tools No system can be entirely "hack proof" but browser security tests and network safeguards can make your set-up more robust. Use these free tools to identify "weak spots" in your home network. Read More ).


For example, a dictionary attack might try a number of common passwords before going into a standard brute force attack, like “password,” “mypassword,” “letmein,” and so on. Or it might add “2016” on to the end of all the passwords that it tries before going onto the next password.


Various methods of using brute force attacks exist, but they all rely on trying a huge number of passwords as quickly as possible until the right one is found. Some require more computing power, but save on time; some are faster, but require a larger amount of storage to be used during the attack.

Where Brute Force Attacks Are Dangerous

Brute force attacks can be used on anything that has a password or an encryption key, but many places where they could be used have deployed effective countermeasures against them (as you’ll see in the next section).

You’re in the most danger from a brute force attack if you lose your data and a hacker gets hold of it — once it’s on their computer, some of the safeguards that are in place on your machine or online can be circumvented.

How might a miscreant get your data onto their computer? You could lose a flash drive, maybe by leaving it in the pocket of your clothes that you sent to a dry cleaner, like the 4,500 flash drives found in 2009 in the UK. Or, like the other 12,500 devices found, you could leave a phone or a laptop in a cab. It’s an easy thing to do.



Or maybe someone was able to download something from a cloud service because you shared an insecure shortened link Are Shortened Links Compromising Your Security? A recent study showed that the convenience of URL shorteners like and could come with a significant risk to your security. Is it time to quit URL shortener tools? Read More . Or maybe you got hit with some ransomware that not only locked down your computer, but also stole some of your files.

The point of all this is that brute force attacks aren’t effective in some places, but there are a lot of ways in which they could be deployed against your data. The best way to prevent your data from getting onto a hacker’s computer is to keep close track of where your devices (especially flash drives!) are.

Protecting Against Brute Force Attacks

There are a number of defenses that websites or apps can use against brute force attacks. One of the simplest and most commonly used is the lockout: if you enter an incorrect password a certain number of times, the account gets locked and you need to get in touch with customer service or your IT department. This stops a brute force attack in its tracks.


A similar tactic can be used with a CAPTCHA challenge Everything You Ever Wanted To Know About CAPTCHAs But Were Afraid To Ask [Technology Explained] Love them or hate them - CAPTCHAs have become ubiquitous on the Internet. What on earth is a CAPTCHA anyway, and where did it come from? Responsible for eye-strain the world over, the humble CAPTCHA... Read More or other similar tasks. Neither of these methods will work against a reverse brute force attack, as it will only fail a password test once for each account.

Another method that can be used to prevent these attacks (both standard and reverse) is two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More  (2FA); even if a hacker does guess the right password, the requirement of another code or input will stop an attack even if it does guess the correct password. Fortunately, more and more services are incorporating 2FA Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More into their systems. It can be a hassle Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Do you want bullet-proof account security? I highly suggest enabling what's called "two-factor" authentication. Read More , but it will protect you against a lot of attacks.

It’s worth noting that while these tactics are great for avoiding brute force attacks, they can also be used to attack a site in other ways. For example, if a brute force attack is launched against a site that locks accounts after five incorrect attempts, their customer service team could get flooded with calls, slowing down the site. It could also be employed as part of a distributed denial of service attack What Is a DDoS Attack? [MakeUseOf Explains] The term DDoS whistles past whenever cyber-activism rears up its head en-masse. These kind of attacks make international headlines because of multiple reasons. The issues that jumpstart those DDoS attacks are often controversial or highly... Read More .


By far the easiest way to protect yourself against a brute force attack is to use a long password. As the length of a password increases, the computational power required to guess all of the possible character combinations grows very rapidly. In a paper on the security risks of URL shorteners, the researchers showed how five-, six-, and seven-character tokens were easy to guess, but 11- and 12-character tokens were nearly impossible.

You can apply the same logic to your passwords. Use strong passwords 6 Tips For Creating An Unbreakable Password That You Can Remember If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch. Read More , and you’ll be all but immune to brute force attacks.

A Surprisingly Effective Attack

For how simple and inelegant it is — it’s called “brute force” for a reason, after all — this kind of attack can be surprisingly effective in gaining access to password-protected and encrypted areas. But now that you know how the attack works and how you can protect yourself against it, you shouldn’t have much to worry about!

Do you use two-factor authentication? Are you aware of other good defenses against brute force attacks? Share your thoughts and tips below!

Image credits: TungCheung via Shutterstock, cunaplus via Shutterstock.

Related topics: Computer Security, Online Security, Password.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. David Darr
    May 2, 2016 at 9:11 pm

    I've been researching both yubikey neo and nitrokey. Both look promising.

    • Dann Albright
      May 3, 2016 at 1:43 pm

      Yep, a physical form of 2FA is a really good way to protect your data. As far as I'm aware, both are great options!

  2. Anonymous
    May 2, 2016 at 2:16 pm

    A passphrase is better than a strong password.