A brute force attack is a method of guessing passwords and other login credentials by trying many combinations until one works. This guide is for anyone who uses online accounts, as well as IT administrators responsible for securing websites and networks. By the end, you’ll understand how brute force attacks work, how to recognize them, and which defenses are most effective.
Quick answer: What are brute force attacks?
A brute force attack systematically guesses login credentials (usernames, passwords, PINs) using automated scripts until it finds a working combination. Unlike sophisticated exploits, brute-force attacks rely solely on computational power and repetition. Attackers use software to submit thousands or even millions of guesses.
How to protect yourself:
- Use a long, unique password for every account
- Store passwords in a password manager
- Enable multi-factor authentication (MFA)
- Watch for login alerts from unfamiliar devices or locations
How to protect systems:
- Limit failed login attempts
- Introduce rate limiting and time delays
- Use CAPTCHA where appropriate
- Monitor for unusual authentication patterns
- Enforce strong password policies
How brute force attacks work
In a brute force attack, software repeatedly submits guesses until authentication succeeds.
The attacker may target:
- Website logins
- Email accounts
- Remote Desktop Protocol (RDP) servers
- VPN portals
- Encrypted files
- Wi-Fi passwords
The effectiveness of the attack depends on:
- Password length
- Password randomness
- Number of allowed login attempts
- Computing power available to the attacker
- Whether MFA is enabled
A short, common password may be cracked in seconds. A long, randomly generated password can be effectively impractical to brute force.
Types of brute force attacks
Simple brute force
The attacker tries every possible combination until one succeeds.
Dictionary attack
The attacker tests words from a predefined list of common passwords and phrases. Password dictionaries containing millions of entries are available online. Attackers may also use precomputed rainbow tables, which map password hashes to their original plaintext values, allowing them to quickly identify passwords by comparing stolen hashes against these lookup tables.
Hybrid brute force
Dictionary words are combined with substitutions and appended numbers. For example, using “Pa$$w0rd” instead of “Password”. These combinations are often used when people are forced to change their password.
Credential stuffing
Previously leaked username and password combinations are tested against other websites. Credential stuffing succeeds when users reuse passwords. It is one of the most common and effective attack types in use today.
Reverse brute force
A common password is tested against many usernames.
What attackers do after gaining access
A successful login hands the attacker full control of that account. Depending on the target, they may:
- Steal personal or financial data
- Send phishing messages from the compromised account
- Install malware
- Access internal systems
- Change account settings to lock out the owner
- Sell the credentials on criminal marketplaces
Real-world examples
Brute force attacks remain common because they are simple to automate. Here are some examples from recent years:
- 23andMe (2023): A credential stuffing attack using reused passwords exposed data associated with approximately 6.9 million customer profiles.
- Canadian Revenue Agency (2020): A credential stuffing campaign breached over 11,000 government accounts.
- Cisco VPNs (2023): Attackers spent five months brute-forcing Cisco ASA SSL VPNs, ultimately compromising networks across more than 11 organizations.
- Arkansas county (2023): Experienced more than 64,000 login attempts before the attack stopped.
These incidents show that brute force attacks affect individuals, businesses, and governments alike.
How to tell if you are being targeted
For individual users
You may notice:
- Login alerts from unknown devices or countries
- Password reset emails you did not request
- Account settings changed without your permission
- Locked accounts caused by repeated failed attempts
For administrators
Watch for:
- Large numbers of failed logins
- Multiple usernames targeted from one IP address
- One username targeted from many IP addresses
- Sequential username or password patterns
- Sudden spikes in authentication traffic
One failed login is normal. Hundreds or thousands in a short period usually indicate automation.
How to prevent brute force attacks
1. Use strong, unique passwords
Long passwords matter more than complexity alone. A good password should:
- Be at least 14–16 characters long
- Be unique to each account
- Be randomly generated when possible
- A password manager (I’d personally recommend KeePass) removes the burden of remembering unique passwords for every site and makes strong passwords practical.
2. Enable Multi-Factor Authentication (MFA)
MFA requires a second factor, such as:
- Authenticator app code
- Security key
- Biometric verification
Using these means that, even if the password is guessed, the attacker usually cannot log in.
3. Limit login attempts
Temporary account lockouts after repeated failed attempts can prevent automated guessing. A common approach is:
- 5–10 failed attempts
- 15–60 minute lockout
- Verified password reset option
4. Add rate limiting and delays
Small delays between attempts make high-volume guessing impractical.
5. Use CAPTCHAs
CAPTCHA helps distinguish humans from automated tools, especially after repeated failures.
6. Monitor authentication logs
Track failed login attempts and alert on suspicious patterns.
7. Block known malicious IP addresses
Web application firewalls and threat intelligence feeds can automatically block abusive traffic.
8. Disable unnecessary remote access
If services such as RDP are exposed to the internet, restrict them with VPN access and MFA.
Which defenses matter most?
If you only implement three protections, prioritize:
- Long, unique passwords
- Multi-factor authentication
- Login rate limiting
Together, these measures stop the majority of real-world brute force attacks.
Common misconceptions
“My password is complex, so I’m safe.”
Not necessarily. Short passwords with predictable substitutions such as P@ssw0rd! remain vulnerable.
“Brute force attacks only target large companies.”
Anyone with an online account can be targeted.
“Antivirus will stop brute force attacks.”
Antivirus software may detect malware, but it does not prevent attackers from attempting to log in to online services.
What to do if your account is compromised
- Change the password immediately
- Enable MFA if not already enabled
- Sign out of all active sessions
- Review recovery email and phone settings
- Check for unauthorized purchases or messages
- Change passwords on any other accounts using the same password
Are brute force attacks illegal?
Unauthorized access to computer systems is illegal in several countries. This includes the United States (under the Computer Fraud and Abuse Act), the United Kingdom (under the under the Computer Misuse Act 1990), and the European Union (under the Directive 2013/40/EU on Attacks Against Information Systems).
Summary
Brute force attacks are one of the oldest and simplest forms of cyberattack, but they remain effective when users rely on weak or reused passwords. For users, a password manager and 2FA are the most impactful steps. For administrators, layering rate limiting, lockouts, CAPTCHA, and 2FA creates a defense that makes brute force attacks time-consuming enough to be abandoned in favor of easier targets.