Brute Force Attack: How Hackers Crack Passwords
A brute force attack (from the idea of "raw force") is an attack method where an attacker systematically tries every possible password combination until the correct one is found. It is a purely mathematical approach with no intelligence – but enormous computing power.
Modern brute force tools can test up to 10 billion passwords per second depending on the hardware. That sounds alarming – but it is completely countered by sufficiently long and complex passwords.
How Does a Brute Force Attack Work?
Simple Brute Force Attack
The program tries all possible character combinations in sequence:
- First all 1-character passwords (a, b, c, ... z, A, B, ...)
- Then all 2-character combinations (aa, ab, ac, ...)
- And so on up to the desired length
The attacker's problem: The time required increases exponentially with longer passwords.
| Password Length | Character Set | Time at 10B/sec |
|---|---|---|
| 8 characters | Upper+Lower+Numbers (62 chars) | 0.7 seconds |
| 10 characters | Upper+Lower+Numbers (62 chars) | ~27 minutes |
| 12 characters | 94 chars (incl. special) | ~1,200 years |
| 16 characters | 94 chars | ~160 quadrillion years |
Dictionary Attack
Instead of all combinations, common passwords and dictionary words are tested first. This method cracks weak passwords in seconds:
- Known passwords like "123456", "password", "hello"
- Words from the dictionary
- Common password variations: "Password1!", "P@ssw0rd"
Credential Stuffing
Login credentials from known data breaches (email + password combinations) are automatically tested at other services. Anyone using the same password across multiple services is particularly at risk.
How to Protect Yourself Against Brute Force Attacks
- Long, random passwords: The most effective protection. A 16-character password using all character types. Generate one now →
- A unique password for every service: Credential stuffing becomes ineffective when every account has a unique password. Use a password manager →
- Two-factor authentication: Even if your password is cracked, 2FA prevents access. The second factor cannot be attacked by brute force.
- Account lockout after failed attempts: Reputable services lock accounts after multiple failed login attempts – making online brute force attacks practically impossible.
- Data breach monitoring: Monitor whether your credentials have appeared in known breaches – free at haveibeenpwned.com.
Who Is at Risk from Brute Force Attacks?
Brute force attacks primarily target:
- Offline systems with stolen password hashes (after a database breach)
- Users with weak or reused passwords
- Accounts without 2FA
- Organizations with unsecured admin access (SSH, RDP)
Private users with strong, unique passwords and 2FA are practically immune to brute force attacks.