Defining brute force attacks and how they work

Whether you’re a website owner or web user, it always pays to be vigilant online, particularly when it comes to authentication and logins. Hackers have many ways of compromising online accounts and systems, and if you don’t practice good password hygiene, you’ll likely be a victim sooner or later. One of these methods, which we’ll be talking about today, is brute force attacks. 

What is a brute force attack?

Brute force attacks are a simple yet often effective method of guessing log-in credentials to gain access to online accounts. Malicious actors essentially use trial and error to guess someone’s username and password combinations. Sometimes hackers will do it manually, but many use the far quicker option of computer applications or bots to do it for them. Brute force attacks can sometimes be used to guess encryption keys; however, if a server is using up-to-date cryptography methods (such as current, 256-bit SSL certificates), this is next to impossible. More often than not, brute force is used to crack website or system log-in details. 

Brute force attack methods

There are myriad methods of brute force attacks out there. Here are some of the most common:

  • Simple brute force attacks: With this method, hackers attempt to guess the passwords of known usernames without outside assistance like computer programs or data breach information. They’ll go through simple variations and (depressingly) commonly-used passwords, such as “qwerty” or “password”. 
  • Credential stuffing: This involves using known username and password combinations (for instance, those exposed in a data breach or from a previous brute force attack) for a particular website and trying to use it across multiple websites. This method exploits the fact that many people use the same credentials to log into various sites.
  • Dictionary attacks: In the same vein as a simple brute force attack, but far more complex. A dictionary machine is used to run through all manner of character strings and phrases to guess both usernames and passwords. This used to be limited to words from the dictionary, but more recent software contains millions of passwords from past data breaches and substitutes letters and numbers for common variations of words used. 
  • Reverse brute force attacks: Instead of starting with known usernames, this kind of attack starts a collection of known passwords and tests them against possible usernames until they find a match. 
  • Hybrid brute force attack: The hackers combine simple brute force attack techniques with outside assistance, such as dictionary attack software.

The consequences of brute force attacks

There are many reasons why hackers want to gain access to login credentials via brute force attacks. On the user side, possible consequences include identity theft, data loss, and fraud. For businesses and website owners, brute force can lead to all kinds of further security breaches, including system hijacking, DDoS attacks, distribution of malware, and data theft. No matter what your background, brute force attacks can result in significant financial losses and potential damage to your reputation.

How to protect yourself from brute force attacks

For users, the best way to protect yourself is to use the most robust password you can and never use the same password twice. Passwords should be long (at least 12 characters) and feature a combination of letters, numbers, and symbols. Never use words or numbers that can be easily found online, such as family member names or dates of birth. 

The easiest way to create strong passwords and keep them safe is to use a password generator and a password manager. 

For website administrators, there are several things you can do to bolster backend security to prevent brute force attacks:

  • Make strong passwords a requirement for users and staff alike
  • Remove any unused backend accounts that have high-level permissions for making changes to the site or system
  • Limit the number of login attempts users have. This makes it harder for hackers to gain access to an account through brute force. After a certain number of attempts, lock the account entirely and ensure that only the administrator can unlock it.
  • Enable a Captcha tool to stop brute force tools in their tracks. While humans can solve Captcha puzzles fairly easily, machines cannot.
  • Two-factor authentication is also a great way to prevent brute force attacks.


When it comes to security breach methods, brute force attacks are an oldy but a goodie. Such attacks are still pretty effective due to the fact that many users across the Internet still use simple or common passwords that they reuse across multiple sites. Likewise, many websites haven’t set up their backend to deal with these kinds of attacks. Fortunately, the solution is simple: always practice good password hygiene and implement a few small changes to your site or system to ensure that hackers are stopped in their tracks.

Share on Twitter, Facebook, Google+