A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security.

A brute force attack may also be referred to as brute force cracking.

Technical explains

A brute force attack is a password and cryptography attack that does not attempt to decrypt any information, but continue to try a list of different passwords, words, or letters. For example, a simple brute-force attack may have a dictionary of all words or commonly used passwords and cycle through those words until it gains access to the account. A more complex brute-force attack involves trying every key combination until the correct password is found. Due to the number of possible combinations of letters, numbers, and symbols, a brute force attack can take a long time to complete. The higher the type of encryption used (64-bit, 128-bit or 256-bit encryption), the longer it can take.

Although a brute-force attack may be able to gain access to an account eventually, these attacks can take several hours, days, months, and even years to run. The time to complete an attack depend on the password, the strength of the encryption, how well the attacker knows the target, and the strength of the computer(s) used to conduct the attack.

How to defend against brute force attacks

To help prevent dictionary brute-force attacks:

  • Many systems only allow a user to make a mistake by entering their username or password three or four times.
  • If the user exceeds these attempts, the system will either lock them out of the system or prevent any future attempts for a set amount of time.
  • In addition, requiring users to have complex passwords.