Avast Academy Security Other Threats The Essential Brute Force Attack Guide: Definition, Types, & Prevention

The Essential Brute Force Attack Guide: Definition, Types, & Prevention

A brute force attack is when a hacker uses trial and error to crack a password. This attack method is also used in the illegal decryption of encrypted information. Read on to discover how brute force attacks work and how a strong cybersecurity tool like Avast One can help protect your passwords and keep you safer online.

Editors' choice
Top Rated
Written by Domenic Molinaro
Updated on April 08, 2024

What is a brute force attack, exactly?

A brute force attack is a type of cyberattack where a hacker uses technology to submit many different passwords or passphrases to try to correctly guess a password or decryption code and gain unauthorized access to a system. Attackers accomplish this by systematically trying as many password combinations as possible until they arrive at the right combination of characters.

Hamburguer menu icon

This Article Contains :

    How long does a brute force attack take?

    The time it takes to brute force a password depends on the strength of the password and the hacker’s technology. Hackers can crack weak passwords in seconds, while longer, more complex passwords would take years to uncover. There are a finite number of character combinations for every password length, and modern computers can make hundreds of billions of login attempts per second.

    Passwords containing more characters and variety (e.g., letters, numbers, and symbols) are harder to guess. For example, if your password contains seven letters, a hacker could brute-force this password in mere seconds. However, extending that password to 18 characters would take nearly 500,000 years with today’s technology.

    “Today’s technology” is a big caveat, though. As hackers gain access to more advanced technology, their methods improve. Every year, they can use brute force attacks to unearth more complex passwords at greater speeds. This is why it’s so important to update your passwords regularly and make them stronger.

    Is a brute force attack illegal?

    Brute force attacks are not illegal in and of themselves. They’re a highly valuable tool for determining the strength of your passwords, and companies often use them to improve their cybersecurity capabilities.

    But brute force attacks are illegal when used as a method of hacking to access data without permission. Accessing data without permission is illegal, even if you successfully crack the password to access it.

    It’s a bit like cracking a safe, which is not illegal in itself. You can buy yourself a safe and crack it all day, or you can crack someone else’s safe, with their permission, of course. But, as soon as you crack a safe and steal its contents, you’re doing something illegal.

    Types of brute force attacks

    There are five common types of brute force attacks: simple attacks, dictionary attacks, hybrid attacks, reverse attacks, and credential stuffing.

    Simple brute force attacks

    Simple brute force attacks systematically cycle through combinations of words, letters, and characters until they crack a password. These attacks require little computing power or ingenuity. They are so easy that they can be done manually, although this is obviously more time-consuming.

    This means that long and complex passwords are beyond the scope of simple attacks, which are typically limited to variations on the most common or likely passwords.

    A bot can easily brute force a predictable password, with some of the worst passwords being ones that have sequential numbers (123456), a person’s name or birthday, or the notorious (and still perplexingly popular) “password.”

    Simple brute force attacks cycle through combinations of words and numbers to guess weak passwords.Simple brute force attacks easily crack simple passwords.

    Simple brute force attacks are still effective because many people don’t realize the danger of using simple passwords. Others may choose to risk their security with simple passwords rather than bother remembering longer, more complex ones. But you don’t even need to remember passwords if you use a good password manager.

    Dictionary attacks

    Dictionary attacks use a digital dictionary or a wordlist to target more obscure passwords. These attacks try to guess your password by cycling through every word, common combinations of that word with other words, variations in spelling, and words in various languages.

    Choosing a more obscure word for your password can protect you from simple brute force hacking attacks, but it won’t keep you safe from dictionary attacks. If you use a single word for your password, a brute force dictionary attack can succeed in seconds.

    Hybrid brute force attacks

    Hybrid brute force attacks combine simple brute force hacking attacks and dictionary attacks. Common passwords are mixed with dictionary words and random characters to create a larger database of password combinations to try. A password like “p@$$w0rd” might fool a dictionary attack, but it offers little defense against a hybrid attack.

    Hackers using hybrid attacks will customize their attack strategy rather than simply trying every word one by one. The infiltrator knows what word combinations are more likely based on wordlists (perhaps purchased on the dark web), the target’s demographic, and general knowledge of human behavior. They then prioritize their attacks to target these combinations first.

    Reverse brute force attacks

    Reverse brute force attacks attempt to brute force the username instead of the password. When common passwords leak online due to data breaches, it’s often easier to input the password and crack usernames. Many users choose the same password, so one reverse attack can grant hackers access to many accounts.

    Many people don’t consider security for their login ID, which makes brute force hacking usernames simpler and more lucrative than it might seem.

    Credential stuffing

    Credential stuffing is when a hacker successfully obtains your username and password for one site and then tries logging in elsewhere with the same or similar credentials. Instead of brute forcing a password or username, they brute force the place where the password or username is used. That’s why you should be careful saving passwords in your browser.

    If you use the same password or username across multiple sites, if one of your accounts is compromised, the others are too. In addition to using unique passwords on all your accounts, consider beefing up your security with antivirus software.

    Avast One helps protect against security issues, from leaked passwords to suspicious plugins to malware and other threats. It monitors the web for breaches 24/7 and alerts you when it detects that one of your passwords has been compromised. Start using Avast One today and help protect yourself from hackers.

    Tools used for brute force attacks

    Manual brute force attempts against all but the weakest of passwords are very time-consuming. But, hackers have developed a range of automated tools to help them crack passwords more easily. Anyone with a little know-how can use a brute force decryption tool, which is a specialized type of software that conducts brute force attacks.

    Here are some of the main specialized brute force attack software that hackers use:

    Types of brute force attack software

    • Weak password targeting tools
      By using tools that identify and try the easiest, most obvious passwords first, hackers often don’t need to resort to more heavy-duty methods.

    • Wi-Fi crackers
      Wi-Fi cracking tools analyze Wi-Fi network security and harvest data that lets them attack targeted networks more effectively.

    • Hash functions
      Algorithm-based encryption methods known as hash functions produce long, randomized passwords that can be used by cracking tools to guess their outputs.

    • Dictionary bots
      Through dictionary attacks, brute force tools can brush past single-word passwords in the blink of an eye.

    Common brute force attack tools

    • John the Ripper
      This tool is a free open-source password-cracking tool that can perform different types of attacks like dictionary attacks.

    • Hashcat
      Hashcat is an advanced password-cracking tool that can perform different types of attacks like dictionary and hybrid attacks.

    • Rainbow Crack
      This tool reduces the time needed to crack passwords by using precomputed rainbow tables of reversed password hashes.

    • Aircrack-ng
      Aircrack-ng is a suite of tools designed to assess Wi-Fi network security — its main purpose is to help security professionals and ethical hackers test a network. It includes a tool that aims to crack Wi-Fi passwords by running through common passwords in the hope of hacking into the network.

    Your typical lone-wolf bedroom hacker may not be able to afford a top-shelf password-cracking decryption tool and a powerhouse of a computer needed to run it. However, the definition of a hacker has changed over time. Today, many cybercriminals belong to well-funded and tightly organized groups with access to the top password-cracking techniques available.

    Why do cybercriminals use brute force attacks?

    There are many motives behind brute force attacks. Many hackers or cybercriminals use brute force attacks against websites to insert additional ads or steal your sensitive personal data through phishing attacks. A vindictive attacker can use a brute force cyber attack to destroy a website’s reputation.

    A brute force password cracker is software that repeatedly tries passwords until it finds the right one, which can be freely found on the web. That means anyone with a vendetta or spare time to kill can give it a shot. As such, the motive and intensity of attacks will vary. Severe brute force attacks can take control over an entire system.

    Having gone through the most common brute force attack examples above, let’s examine some of the reasons why hackers use these techniques.

    The opportunity to explore hidden webpages

    Brute force hacking attacks can reveal a lot more than passwords and usernames. By brute forcing web addresses, attackers can gain access to webpages or directories that would otherwise remain hidden from public view.

    These web pages are usually set up for technical or personal reasons, or they were created and then forgotten about. In both cases, they may have weaker security than sites meant for the general public. They’re likely more vulnerable to malicious computer exploits, dangerous malware like Trojans, SQL injections, and other nefarious threats.

    If a hacker can brute force hack a hidden web page, they might secure themselves a reliable backdoor to the primary website.

    Profit from ads

    By illegally gaining access to websites, hackers can cause them to spam visitors with ads, with each click or view generating money for the hacker. Hackers can also reroute traffic to illegitimate sites brimming with ads or pharming websites disguised as real ones.

    By exploiting advertising business models and forcing people to view and contend with cascades of ads, hackers can cash in by the spamful.

    Spread malware

    Brute force attacks are often used to spread viruses and other malware throughout a system. Depending on the type of malware a hacker uses, they may be able to access sensitive data, such as your contact list and location.

    By installing adware on your device, a hacker can spam you with ads and make money when you see them. Hackers can also brute force a website and install malware on it that infects anyone who visits that site.

    Avast One can help protect you against unexpected threats. Our Web Shield will help block known malware from downloading to your PC while you browse the web, while our File Shield will analyze unknown files before they get to you, quarantining them immediately if they’re malicious.

    That means Avast One will help stop malicious attacks on your computer, even if they come from trusted domains that have been unknowingly compromised in a brute force attack. Plus, our built-in Smart Scan feature will shore up cracks in your online security by helping to monitor all your settings and add-ons for possible exposures.

    Need even more brute force protection? Check out Avast Premium Security, which can help automatically block brute force attempts on your device with our built-in Remote Access Shield.

    Steal data

    By gaining access to websites, hackers can track user browsing data and sell it to third parties. Your information is valuable to advertisers who want to sell you their products, analytics companies who help websites optimize their business models, and data brokers who want to sell personal or aggregated data to interested buyers.

    Downloading and using a brute force password cracker is so simple that there’s little downside for a hacker down on their luck. Big data means big profits these days.

    Of course, anyone who steals your data can also use it for themselves. For example, by using a brute force attack, a hacker can insert spyware to collect personal data, which they can use for doxxing or to commit identity theft.

    Hijack systems

    After a successful brute force attack, hackers can infect your device with ransomware that takes your valuable files hostage or even locks you out of your device completely. After taking control, hackers can then extort you into sending them money by threatening to destroy your files or release sensitive information.

    Ransomware such as Petya and Wannacry can encrypt your files until you pay up — and even then, there’s no guarantee that you’ll get your data back.

    How to prevent brute force attacks

    Implementing good cyber hygiene is the best way to keep yourself safe from brute force attacks. Practicing better password habits, using two-factor authentication, and using online security software can all go a long way toward helping to protect you against brute force hacking attempts.

    Here’s how to stop brute force attacks from being successful:

    Complex passwords

    Choosing a secure password is your first line of defense against a brute force attack. Set unique passwords for all your accounts and store them securely with a strong password manager. The longer and more complex the password, the better.

    You may have noticed websites asking whether you want them to generate a secure password for you. This is an easy way to generate random strings of letters, numbers, and symbols, which can significantly increase password security.

    If you create your own password, avoid using common identifiers such as your favorite sports team, the name of your city, or any other information that can be easily gleaned from your basic personal info.

    Finally, always create a different password for each of your accounts. Many people use the same password on multiple sites since having to recover your password is so annoying. You can avoid this problem and create hard-to-crack passwords with a secure password manager, which will automatically generate and store passwords for you.

    Multi-factor authentication

    Multi-factor authentication (MFA) and two-factor authentication (2FA) require you to log in with at least two different types of credentials.

    Examples include single-use items that you need to have in your possession when you log in, such as a one-time code sent via text message or a key from a dedicated authentication app. Another authentication factor can be a biometric identifier, such as a fingerprint scan or facial recognition.

    Multi-factor authentication adds additional layers of security (like a PIN or biometric identifier) beyond your password.Multi-factor authentication adds additional layers of security beyond your password.


    Setting up a VPN can give you an extra line of defense against brute force programs. It’s especially important to use a VPN when connecting to public Wi-Fi networks. These networks commonly lack security and may be rife with hackers looking to scoop up your data as you connect.

    Antivirus software

    Good antivirus software can do more than just detect and prevent malware. Cybersecurity programs like Avast One notify you of known password leaks, help shield your inbox from phishing scams, and remove threatening files from your device. Avast One also includes a secure VPN that helps you surf the web anonymously wherever you are.


    CAPTCHA is a verification system that attempts to determine whether a user is human. You’ve probably encountered CAPTCHAs before if you’ve ever been asked to select all the images with a boat or enter the text you see before accessing a site.

    Brute force attack tools are not human, and CAPTCHA blocks many of them from making multiple password attempts. While CAPTCHA is mostly used by businesses, it can also be used by individuals who own a website. Adding CAPTCHA to your site can help stop hackers from using it to harvest your and others’ information.

    Limit login attempts

    If you own a website where users or customers log in, you should limit the number of login attempts allowed. You can do this by using a plugin to ban or temporarily lock out an IP address after so many failed attempts.

    Some sites and accounts still allow unlimited login attempts, so only relying on limited login attempts as a user is not a standalone solution. Take charge of your own online security with a powerful antivirus.

    Stand against brute force attacks with Avast

    Brute force attacks may sound scary but it’s not difficult to set up a strong defense against them. All you need are strong, unique passwords and powerful cybersecurity tools like Avast One to stay much safer online.

    Avast One monitors your passwords connected to your email address and notifies you if one becomes compromised. It also helps protect your device against a range of threats like malicious downloads, infected links, unsafe email attachments, and more. Download it today to stay ahead of the hackers.

    Get Avast One for iPhone to help block hackers and malware

    Free install

    Get Avast One for Android to help block hackers and malware

    Free install
    Other Threats
    Domenic Molinaro