Brute force attacks: What they are and how they work

Dawna Roberts

Oct 25, 20235 min read

Brute force attacks: What they are and how they work: Header image

Hackers use dozens of methods to break into servers, mobile devices, and accounts. One of these is called a brute force attack. It’s a simple but effective technique that results in data breaches, theft, and the destruction of digital assets. 

This guide will help you understand what a brute force attack is. It also includes examples of brute force attacks and information about how to protect yourself from these incidents. 

What is a brute force attack?

A brute force attack is a hit-or-miss technique for obtaining passwords or encryption keys. Hackers use software that rapidly tries millions of combinations of popular passwords to try to log into a digital account. 

What is “brute force” in cybersecurity? The term refers to the aggressive and rapid attempts by the software to force its way in. It’s one of the oldest forms of attack but is still used today by modern cybercriminals.

The threat actor continues to try millions of combinations until they find one that works. It’s not a sophisticated strategy, but it can be quite effective in many cases. 

A photo of a brute force: rainbow table attack.
Source: Unsplash

Examples of brute force password-cracking attacks

Bruteforcing has proved to be an effective attack strategy for some nefarious hacker groups. Below are some notable password-cracking attacks: 

  • In April 2013, WordPress, one of the most popular website platforms, was the victim of a brute force attack from 90,000 IP addresses stealing user credentials. 
  • GitHub, a popular software repository, was hit in 2013 when a cybercriminal group used 40,000 IP addresses to breach accounts with weak passwords. The company has since fortified its security requirements for all users. 
  • Coffee icon Dunkin’ Donuts faced serious fines ($650,000) after a 2015 brute force account attack in which hackers breached 19,715 user accounts and stole thousands of dollars in rewards cash.
  • Another example from 2015 is the e-commerce platform Alibaba, which suffered a devastating brute force attack in which hackers breached 99 million credentials (stolen from another data breach). Twenty-one million of these accounts used the same credentials for different accounts, which is why hackers were able to get in.

How brute force works

Attackers use a combination of manual and automated methods to perform brute force infiltration. The simplicity of this technique makes it a go-to strategy for new hackers earning their chops. 

Sometimes, these cybercriminals use lists of stolen credentials purchased or discovered on the dark web. Other times, they may use an algorithm to create combinations of letters, symbols, and numbers to find passwords that work.

Some of the most commonly used open-source software tools used by hackers are John the Ripper, Aircrack-ng, and Hashcat, while some criminals use password-cracking hardware to facilitate their break-ins. 

Types of brute force attacks

Brute force attacks refer to a broad spectrum of different types of attack methods. The following are some of the most popular. 

Credential stuffing

Credential stuffing is when a hacker has obtained a working username/password combination for one account and tries it on another, knowing that many people reuse information across websites. 

Dictionary attack

A dictionary attack is when a bad actor creates a list of potential passwords from common dictionary words, popular passwords, or slight variations. They target a single account, try them all, and then move on to the next victim. 

An image of a dictionary.
Source: Pixabay

Rainbow table attack

Many systems do not store passwords in plain text. Instead, they hash them with alternate characters. A rainbow table attack uses an elaborate table of password hashes and equivalent passwords. Hackers use these sophisticated rainbow tables to unlock the actual passwords from hashed lists. 

Hybrid brute force attack

A hybrid brute force attack is a combination of the dictionary method and a simple brute force attack. The threat actor has the proper username and then uses a dictionary attack to crack the password. They may start out with a long list of typical passwords and then add characters to find a winning combo. Many people use the same passwords or add a few extra numbers, characters, or symbols to the end, which is why this method works so well. 

Protection from brute force attacks

Individuals and companies must work hard to protect themselves against the myriad of attacks across the cybersecurity landscape. Some tips for protecting yourself against brute force attacks include the following. 

1. Lock out abusive IP addresses

You can configure your server to lock out IP addresses after a specific number of tries. You can also block IPs coming from particular countries. These tactics can help prevent intrusion. 

2. Use very strong passwords

Always use robust, complex passwords made up of a combination of letters, numbers, and symbols. Consider using a password vault to keep all your passwords safe in one place so you don’t have to remember them all. All you do is create a master password and lock the rest up. In addition, change your passwords regularly to keep them fresh, since many attacks use previously stolen passwords. 

3. Enable two-factor authentication

Enable two-factor or multi-factor authentication on all your online accounts and devices. That way, even if someone gains access to your username and password, they can only get in if they have extra personal information linked to your account. Plus, most services will alert you that there has been a login attempt, and you can quickly take action and lock your account or change the password. 

4. Safeguard personal information

Never give out personal information online or share your passwords. Instead of clicking a link in an email to visit a site, go to your browser and type it in manually so you ensure you are visiting a legitimate company site. 

5. Never reuse passwords

Never reuse the same passwords on multiple accounts. Otherwise, all your accounts could be compromised in a credential-stuffing attack. Create a unique username and password for each online account. 

Navigating digital resources can be tricky, especially with all the threats out there. Fortunately, following these and other cybersecurity best practices can keep your personal information safe and prevent financial losses and identity theft. 

Dawna Roberts Dawna Roberts
Dawna has spent her entire career in web dev, cybersecurity, and IT. Her work has been featured on Forbes, Adobe, Airtable, Backblaze, Cyberleaf, Lifewire, and other online publications for the past ten years.