Avast Academy Security Hacking What Is a Brute Force Attack?

What Is a Brute Force Attack?

The best passwords are long, complex, and avoid using simple names or well-known terms. That’s because short or obvious passwords won’t hold up for long against a brute force attack. But what exactly is a brute force attack? Discover how brute force attacks work, how to prevent them, and how a strong cybersecurity tool can help keep you safe.

Editors' choice
Top Rated
Written by Domenic Molinaro
Published on February 9, 2021

What is a brute force attack, exactly?

A brute force attack is when hackers try to crack a password through intensive computer-assisted trial and error. The scope and definition of brute force has broadened as computer technology has advanced.

Hamburguer menu icon

This Article Contains:

    In the 1970s, a hacker could theoretically try only thousands of different password variations every second. Today, modern computing allows for hundreds of billions of login attempts per second.

    Though the meaning of brute force has expanded, the method remains the same: try as many password combinations as possible and hope one works. Whether or not a hacker successfully finds the correct password often comes down to the amount of time and resources an attacker is willing to spend. But what methods do modern hackers use?

    Types of brute force attack

    There are five typical types of brute force attacks: simple attacks, dictionary attacks, hybrid attacks, reverse attacks, and credential stuffing. Anyone with an interest and a little know-how can acquire a brute force decryption tool, which is a type of software that automatically conducts brute force attacks.

    Most of the time, people use brute force tools to crack passwords or decrypt stolen password databases. The effectiveness of a brute force tool depends on the resources and computing power of the people who built it.

    Your typical lone-wolf bedroom hacker may not be able to afford a top-shelf password cracking powerhouse of a computer. But the definition of a hacker has changed over time. Today, many cybercriminals belong to well-funded and tightly organized groups with access to the top password cracking techniques available.

    Simple brute force attacks

    Simple brute force attacks require little computing power or ingenuity. They systematically cycle through combinations of words, letters, and characters until they break in. Long and complex passwords are beyond the scope of simple attacks, which are typically limited to variations on the most common or likely passwords.

    A simple brute force attack is so easy that it can be done manually, though this is obviously more time-consuming.

    A bot can easily brute force a predictable password. That’s why some of the worst passwords are sequential numbers (123456), a person’s name or birthday, or the notorious (and still perplexingly popular) “password.”

    Simple brute force attacks cycle through combinations of words and numbers to guess weak passwords.Simple brute force attacks easily crack simple passwords.

    Simple brute force attacks are still effective because plenty of less internet-savvy users don’t realize the danger of using simple passwords. Other people may choose to risk their security with simple passwords rather than bother with having to remember longer, more complex ones. If you’re having trouble keeping track of your passwords, you should start using a good password manager.

    Dictionary attacks

    Dictionary attacks target more obscure passwords, using a digital dictionary or a wordlist as an aid. Choosing a more obscure word for your password can keep you safe from simple brute force hacking attacks, since many hackers will just give up if it takes too long. But using more obscure or complex words won’t keep you safe from dictionary attacks.

    Dictionary attacks try to guess your password by cycling through every word, common combinations of that word with other words, variations on spelling, and words in various languages. If you’re using a single word for your password, a brute force dictionary attack will succeed in seconds.

    Hybrid brute force attacks

    Hybrid brute force attacks combine simple brute force hacking attacks and dictionary attacks. Common passwords are mixed with dictionary words along with random characters to create a larger database of password combinations to try. A password like “p@$$w0rd” might fool a dictionary attack, but it offers little defense against a hybrid attack.

    Hackers using hybrid attacks will customize their attack strategy, rather than simply trying every word one by one. The infiltrator knows what word combinations are more likely based on wordlists (perhaps purchased on the dark web), the target’s demographic, and general knowledge of human behavior. They then prioritize their attacks to target these combinations first.

    Reverse brute force attacks

    Reverse brute force attacks reverse the order of operations: They start with a common or known password and try to brute force the username instead. Passwords from data breaches sometimes leak online, and when they do, they’re often used to launch reverse attacks.

    Many people never consider security for their login ID, which makes brute force hacking usernames more lucrative than it might seem.

    Credential stuffing

    Credential stuffing is when a hacker successfully obtains your username and password for one site, and then tries logging in elsewhere with the same or similar credentials. Instead of brute forcing a password or username, they’re brute forcing the place where the password or username is used. This is partly why you should never save passwords in your browser.

    If you use the same password or username across multiple sites, as many of us do, none of your accounts is safe if just one of them is compromised. In addition to using unique passwords on all your accounts, consider beefing up your security with an antivirus tool.

    Avast One protects against all kinds of security issues, from leaked passwords and unsafe settings to suspicious plugins, malware and other threats. Our built-in Smart Scan feature will scour your system so you can easily see and fix any vulnerabilities before they become a problem.

    Tools used for brute force attacks

    Manual brute force attempts against all but the weakest of passwords are very time-consuming. But hackers have developed a range of automated tools to help them crack passwords more easily, and not all of them work by running all possible character combinations.

    Here are some of the main tools hackers use for brute force attacks:

    • Weak password targeting tools

      By using tools that identify and try the easiest, most obvious passwords first, hackers often don’t need to resort to more heavy-duty methods.

    • Wi-Fi crackers

      Wi-Fi cracking tools analyze Wi-Fi network security and harvest data that lets them attack targeted networks more effectively.

    • Hash functions

      Algorithm-based encryption methods known as hash functions produce long, randomized passwords that can be used by cracking tools to guess their outputs.

    • Dictionary bots

      Through dictionary attacks, brute force tools can brush past single-word passwords in the blink of an eye.

    All of these software tools work by rapidly processing large amounts of data, which consumes a lot of computing power. Specialized hardware tools for brute forcing typically involve combining the CPU with the GPU to significantly accelerate cracking speeds.

    Why do cybercriminals use brute force attacks?

    There are many motives behind brute force attacks. Many hackers or cybercriminals use brute force attacks against websites to insert additional ads or steal your sensitive personal data through phishing attacks. A vindictive attacker can use a brute force attack to destroy a website’s reputation.

    A brute force password cracker, which is software that repeatedly tries passwords until finding the right one, can be freely found on the web. That means anyone with a vendetta or spare time to kill can give it a shot. As such, the motive and intensity of attacks will vary. But severe brute force attacks can take control over an entire system.

    Having gone through the most common brute force attack examples above, let’s now examine some of the reasons why hackers use these techniques.

    The opportunity to explore hidden webpages

    Brute force hacking attacks can reveal a lot more than passwords and usernames. By brute forcing web addresses, attackers can gain access to webpages or directories that would otherwise remain hidden from public view.

    These webpages are usually set up either for technical or personal reasons, or they were created and then forgotten about. In both cases, they may have weaker security than sites meant for the general public. They’re likely more vulnerable to malicious computer exploits, dangerous malware like Trojans, SQL injections, and other nefarious threats.

    If a hacker can brute force a hidden web page, they might secure themselves a reliable backdoor to the primary website.

    Profit from ads

    By illegally gaining access to websites, hackers can cause them to spam visitors with ads, with each click or view generating money for the hacker. Hackers can also reroute traffic to illegitimate sites brimming with ads, or to pharming websites disguised as real ones.

    By exploiting advertising business models and forcing people to view and contend with cascades of ads, hackers can cash in by the spamful.

    Spread malware

    Brute force attacks are often used to spread viruses and other malware throughout a system. Depending on the type of malware a hacker uses, they may be able to access sensitive data, such as your contact list and location.

    By installing adware on your device, a hacker can spam you with ads and make money when you see them. Hackers can also brute force a website, and then install malware on it that infects anyone who visits that site.

    Avast One can protect you against unexpected threats. Our Web Shield will block known malware from downloading to your PC while you browse the web, while our File Shield will analyze unknown files before they get to you, quarantining them immediately if they’re malicious.

    That means Avast One will stop malicious attacks on your computer, even if they come from trusted domains that have been unknowingly compromised in a brute force attack.

    Plus, our built-in Smart Scan feature will shore up cracks in your online security by monitoring all your settings and add-ons for possible exposures.

    Need even more dedicated protection against brute force attacks? Check out Avast Premium Security, which automatically blocks brute force attempts on your device with our built-in Remote Access Shield.

    Steal data

    By gaining access to websites, hackers can track user browsing data and sell it to third parties. Your information is valuable to advertisers who want to sell you products, to analytics companies who help websites optimize their business models, and to data brokers who want to sell personal or aggregated data to interested buyers.

    Downloading and using a brute force password cracker is so simple there’s little downside for a hacker down on their luck. Big data means big profits these days.

    Of course, anyone who steals your data can also use it for themselves. For example, by using a brute force attack, a hacker can insert spyware to collect personal data, which they can use for doxxing or to commit identity theft.

    Hijack systems

    After brute-forcing their way in, hackers can infect your device with ransomware that takes your valuable files hostage or even locks you out of your device completely. After taking control, hackers can then extort you into sending them money by threatening to destroy your files or release sensitive information.

    Ransomware such as Petya and Wannacry can encrypt your files until you pay up — and even then, there’s no guarantee that you’ll get your data back.

    How to defend against a brute force attack

    Choosing a secure password is your first line of defense against a brute force attack. Set unique passwords for all your accounts, and store them securely with a strong password manager.

    Google and other services try to prevent brute force attacks by limiting login attempts or using CAPTCHA and other similar systems to see whether a user is human. But note that the latest brute force attack software can evade these security measures.

    If a hacker has the password’s hash function, they can try logging into the account offline on a different device as many times as they want. Also, since many people tend to use the same username and password for multiple sites, hackers can try logging into thousands of websites until they find a match, and then they can go back to try the original target.

    But there’s lots you can do on your own to prevent brute force attacks, such as practicing better password habits, enabling multi-factor authentication, and using online security software.

    Use long, complex, and unique passwords

    The longer the password, the better. Many of us use the same password on multiple sites, and we often use short ones, since having to recover your password is so annoying. You can avoid this problem and create hard-to-crack passwords with a secure password manager, which will automatically generate and store passwords for you.

    Complex passwords are more secure than simple ones. You may have noticed websites asking you recently to generate a secure password. These long and complex passwords will be random strings of letters, numbers, and symbols. Increasing the length of your passwords and using unique word or letter combinations increases password security exponentially.

    Avoid using common identifiers such as your favorite sports team, the name of your city, or any other information that can be easily gleaned by looking up your location or other demographic data. And always create a new password for each of your accounts.

    A seven-letter password has about eight billion combinations, which is still within reach for brute force attacks. Double that to 14 letters, and the combinations explode to 64 quintillion, or more than the number of grains of sands on earth. An additional jump to 21 letters and you get more possible combinations than all the stars in the known universe.

    Employ multi-factor authentication

    Multi-factor authentication (MFA) and two-factor authentication (2FA) force you to log in with at least two different types of credentials. These factors can be knowledge-based, such as a security question. Be sure to avoid choosing questions that have answers that can be easily found on your social media account.

    It’s easy to set up 2FA on Facebook or Google by selecting it in your security settings and then confirming your identity through SMS or an authentication app.

    The factors you use can also be single-use items that you need to have in your possession when you log in. Examples include an OTP (one-time password) that’s emailed to you, push notifications with special codes, or a dedicated authentication app.

    A third authentication factor can be a biometric identifier, such as a fingerprint scan or facial recognition software. Dedicated hackers can still mimic or steal this information, but it’s very difficult and not worth the effort unless you’re an extremely high-value target.

    Multi-factor authentication adds additional layers of security (like a PIN or biometric identifier) beyond your password.Multi-factor authentication adds additional layers of security beyond your password.

    Strengthen your defenses

    Sometimes the best foil to an evil program is a good program. Putting your network or website behind a firewall or setting up a VPN gateway can give you an extra line of defense against brute force programs.

    Antivirus software can make sure all the nooks and crannies of your system are secure. Defensive programs need to be cutting-edge, and the best antivirus programs constantly upgrade their software with the latest tools to block viruses and stop hacking attempts.

    Stand against brute force attacks with Avast One

    Companies need to innovate to keep up with intrepid hackers. Avast One has a built-in feature that will scan the dark web for traces of your email address and related personal data. It will also monitor your password to make sure it hasn’t been exposed, letting you know if you need to change it.

    Thankfully, most of us aren’t targeted directly by brute force attacks. Rather, hackers target websites for brute forcing, and then use that access to spread malware to the site’s visitors.

    Avast One will automatically block and remove malware from compromised sites — even ones that are usually always safe — so no viruses or other malware can land on your computer. We’ll also protect you against malicious downloads, infected links, and unsafe email attachments.

    With so many threats lurking out there, it’s imperative to have an extra layer of defense to protect your data and other personal information. Download Avast One today to stay ahead of the hackers.

    Protect your iPhone against hacking with Avast One


    Protect your Android against hacking with Avast One

    Domenic Molinaro