How Brute Force Attacks Work (And How to Prevent Them)

A brute force attack is one of the oldest and most straightforward methods of compromising a password-protected account. It requires no social engineering, no inside knowledge, and no technical exploit in the target software — only computing power and time. Understanding how these attacks work, and what makes them succeed or fail, explains why password length and randomness are so critical to account security.

The Basic Mechanics

In a pure brute force attack, the attacker writes software that systematically generates and tests every possible combination of characters for a password. Starting from "a", then "b", through "z", then "aa", "ab", and so on, the program continues until it finds a combination that matches.

The number of possible combinations grows exponentially with password length. A password using only lowercase letters has 26 possible characters per position. The total combinations for a given length n are 26ⁿ:

• 6 characters: ~300 million combinations
• 8 characters: ~200 billion combinations
• 12 characters: ~95 quadrillion combinations
• 16 characters: ~43 quintillion combinations

When the character set expands to include uppercase letters, digits, and symbols (roughly 94 characters total), the numbers grow even faster. Modern password cracking hardware can test billions of password hashes per second — but even at a billion guesses per second, a truly random 16-character password from a 94-character set would take far longer than the age of the universe to crack exhaustively.

Dictionary Attacks: Smarter Brute Force

Pure brute force is impractical against long passwords. Attackers use dictionary attacks instead, which test known words, common phrases, and previously leaked passwords before attempting random combinations. This is far more effective because most user-chosen passwords follow predictable patterns.

Wordlists used in dictionary attacks are not just dictionary words. They include:

• Billions of real passwords leaked in historical breaches (the RockYou list alone contains 14 million passwords)
• Common substitutions (e → 3, a → @, o → 0)
• Name + number combinations
• Keyboard patterns
• Dates and years

The practical implication: a password that "looks" complex but follows a common pattern (like P@ssword2024!) may be cracked within seconds, while a randomly generated 14-character string takes effectively forever.

Credential Stuffing: Using Leaked Data

Credential stuffing is a related attack that does not involve cracking passwords at all. Instead, attackers take username/password combinations leaked in one data breach and test them against other services. If a user has the same password on multiple sites, the attacker can access all of them once one is breached.

This is one of the most common and effective attack methods in use today, precisely because password reuse is extremely common. Using a unique password for every account is the primary defence against credential stuffing.

Online vs Offline Attacks

There are two fundamentally different environments for brute force attacks:

Online Attacks

Online attacks target live login forms on websites and services. Attackers submit guesses to the actual login endpoint and wait for a response. These are naturally rate-limited by network latency and, on well-protected services, by account lockouts and CAPTCHA challenges. Online attacks are generally slow and noisy.

Offline Attacks

Offline attacks occur when an attacker has obtained a copy of a database containing hashed passwords (typically through a data breach). The attacker can run cracking software at full hardware speed on their own machines, without any rate limiting. This is where the billions-of-hashes-per-second speeds are relevant — and why the strength of the hashing algorithm used by the service matters enormously. Modern algorithms like Argon2 and bcrypt are designed to be slow, limiting offline cracking to thousands or tens of thousands of guesses per second instead of billions.

How to Protect Against Brute Force Attacks

• Use long, random passwords. A 16+ character random password is impractical to crack by brute force. Generate one with our free Password Generator.
• Never reuse passwords. Unique passwords for each account prevent credential stuffing from cascading across services.
• Enable two-factor authentication. Even if a password is cracked, 2FA prevents login without a second factor the attacker cannot easily obtain.
• Use a password manager. It generates genuinely random passwords and removes the need to remember them.
• Check breach databases. Services like Have I Been Pwned allow you to check whether your email or passwords have appeared in known breaches.

What Services Can Do

Well-designed services implement server-side defences that make online brute force attacks impractical:

• Rate limiting login attempts per account or IP
• Account lockouts after repeated failures
• CAPTCHA challenges on suspicious login patterns
• Using slow hashing algorithms (bcrypt, Argon2) to make offline attacks costly
• Checking new passwords against known-compromised databases

Frequently Asked Questions