Brute force attack: A definition + 6 types to know

December 6, 2021

A brute force attack is a trial-and-error hacking method where attackers submit many queries to gain unauthorized access to a system. Hackers may test millions of login credentials, encryption keys, or URLs until a valid response is returned. Brute force hacking is also extremely prevalent — about 1 in 5 devices or networks will experience these attacks. 

With so many of these cyberthreats on the loose, it’s important to know how you can keep your information safe. Keep reading to discover how cybercriminals use brute force attacks and learn tips to help you create a hack-proof password. 

Types of brute force attacks

What is brute force, and what are the different methods? In a basic brute force attack, hackers use automation tools to test random, exhaustive combinations of numbers and letters to try and guess your credentials. However, this isn’t the only way hackers use brute force password cracking to steal your information. Here are six more common ways hackers harness brute force methods. 

Simple brute force attacks

In a simple brute force password attack, an attacker tries to logically guess a password. They may try either common passwords or do minimal reconnaissance work to discover personal information, like your pet’s name. This attack can work with passwords like “password” or “fido123.”    

Reverse brute force attack

Oftentimes, brute force attacks involve testing many passwords against a known username. In a reverse brute force attack, hackers test a common password like “123456” against a list of possible usernames. 

Dictionary attacks

Dictionary attacks involve attackers testing common words, phrases, or passwords in exhaustive combinations. These words may be sports teams, seasons, colors, etc. Since users often use simple, easy-to-remember passwords, dictionary attacks can be more efficient at finding login credentials.  

Hybrid brute force attacks

Hybrid brute force attacks combine techniques from dictionary attacks and simple brute force attacks. Hackers test combinations involving both common words and random characters. This can allow attackers to crack passwords like “chicago123” or “rover2021.” 

Credential stuffing

In credential stuffing, attackers use credentials that have already been stolen. They may find these credentials through searching the dark web or even via phishing. Bots then test a list of stolen login credentials against multiple sites. Since as many as 65 percent of internet users reuse passwords, credential stuffing can allow attackers to use one stolen credential to gain access to even more data.   

Rainbow table attack

When computers store passwords, they often don’t store the actual data (e.g., 12345678). Instead, they store the password as an encryption, called a hash (e.g., 25d55ad283aa400af464c76d713c07ad). Rainbow table attacks crack passwords by testing slews of hashes. They do this through pre-generated tables of common passwords with their corresponding hash. 

Goals of brute force attacks

Cybercriminals may have several motivations for enacting brute force attacks. The potential for personal profit or gain are the primary ones, but here are a few more ways hackers can make these attacks pay off. 

Exploit advertisements and data

In the event a hacker gains access to a website, they can profit by placing spam ads or rerouting traffic to their own advertisements to gain commission. They can also collect and sell private data to third parties or data brokers. 

Personal data theft

Selling data to advertisers isn’t the only way stolen personal data can profit a hacker. All it takes is the right stolen credential and an attacker could steal your identity, access your bank account, or commit credit card fraud.  

Spread malware

Hackers may place malicious software on hacked sites that can spread to visitors’ computers. Once downloaded, malware can collect even more private data, hold files for ransom, hijack your internet session, impersonate users through IP spoofing, or otherwise wreak havoc on victims. 

Wreck website reputations

Cybercriminals may ruin websites for personal gain or simply for practice. This can include putting offensive or pornographic material on your site. If you’re unable to remove the offensive content, your website’s reputation could be destroyed. 

Find hidden websites

Not every website is accessible to search engines. Unlinked, no-index pages make up the dark web and may contain criminal activity, leaked data, or other malicious activity. Hackers can use brute force attacks to check massive URL combinations until valid websites are returned. They can then exploit these pages or criminally scrape data.

Brute force attack tools

Brute force attacks can test millions of password/username, web address, or encryption key combinations. Manually testing all these combinations could take years, so attackers use tools to automate this process. Here are some of the most common tools used in brute force attacks: ·        

• Aircrack-ng: Available for Windows and Linux, this tool is a popular choice for dictionary attacks.        
• John the Ripper: This free tool combines text and numbers to perform simple brute force attacks or can be used with a dictionary to perform dictionary attacks.        
• 0phtCrack: Meant specifically for cracking Windows passwords, this tool can crack a password in only a few minutes.         
• RainbowCrack: This tool generates rainbow tables to use in rainbow table attacks.          
• Hydra: One of the most popular brute force tools, Hydra is often used in cracking passwords for network authentication.

Examples of brute force attacks

Brute force attacks often target popular platforms where many users store data. This means email domains, online tax services, or food apps could be likely targets. Here are just a few real-world examples of brute force attacks in action:

• 2009 Yahoo attacks: A 2-year-old security flaw allowed attackers a special opportunity to target Yahoo Mail accounts with password-cracking attacks.  
• 2013 WordPress attacks: As many as 60 million attempts were made in just one hour during waves of brute force attacks targeting WordPress platforms. Luckily, very few sites were breached. 
• 2015 Dunkin’ Donuts attacks: Seeking to exploit reward program perks, hackers gained access to almost 20,000 Dunkin’ mobile app accounts. 
• 2015 Alibaba’s Taobao attacks: Hackers used a list of 99 million stolen login credentials with a success rate of 1 in 5, showing how often accounts reuse poor passwords. Nearly 21 million accounts were breached.
•  2021 T-Mobile attacks: Cybercriminals combined brute force attacks with other means to hack into T-Mobile IT servers containing customer data.    

5 tips to prevent brute force attacks

Can you prevent brute force attacks? While hackers have an arsenal of tricks up their sleeves, there is plenty you can do to frustrate their brute force attempts. Here are a few tips to help you stay safe from these malcious attacks.

1. Use strong, unique passwords

Brute force attacks rely on weak passwords to succeed, so protect your accounts with complex passwords. Strong passwords are long, difficult to guess, and unique.         

Long: Five-character passwords can often be cracked in a matter of seconds, while 20-character passwords could take decades.         

Difficult to guess: Using easily guessed information like your birthday or children’s names makes it easier for brute force attacks to succeed with minimal reconnaissance work.        

Unique: Reusing passwords leaves you susceptible to credential stuffing attacks, where cybercriminals can use one hacked account to access even more of your data. 

2. Consider a password manager

Creating strong, unique passwords for all of your accounts can be difficult to keep track of. Using a password manager can help you organize your login credentials while also offering advanced security through encryptions. Many password managers also offer password suggestions to help you create stronger passwords.  

3. Enable two-factor authentication

Two-factor authentication provides additional security by requiring users to verify their identity in multiple steps. This could look like logging into an account by first providing an authentic password and then entering a security code sent to a trusted device. The additional authentication step can prevent cybercriminals who have hacked your password from accessing your account.   

4. Disable unused accounts

With so many platforms pushing account creation, today’s digital citizens can acquire dozens, if not hundreds, of online accounts. After all, studies show 70 percent of users have more than 10 password-protected accounts and 30 percent have “too many to count.” These unused accounts can contain confidential data like credit card information. Disabling unused accounts limits the amount of personal data you may have on the internet and gives hackers less opportunity to steal your information.  

5. Limit login attempts

Since brute force attacks rely on massive amounts of login attempts, locking your account after a few attempts is a logical and effective strategy. Instituting account locks for a set time period can greatly delay brute force attacks and help keep your information safe. 

Brute force methods are some of the most common types of password attacks facing today’s digital citizens. Practicing strong password and digital safety etiquette can help you stay protected.  

Brute force attack FAQs

Have other questions on brute force attacks? Here are answers to some of the most commonly asked questions. 

What is a brute force attack?

A brute force attack is a trial and error hacking method where attackers submit many queries until one is authenticated. This could look like submitting millions of login credentials, encryption keys, or site URLs. Once a valid response is returned, hackers can gain unauthorized access to a system. 

Are brute force attacks illegal?

Brute force attacks are not illegal by themselves. What makes brute force attacks illegal is the intention. Most of the time, hackers have malicious intent: to gain unauthorized access, steal data, or otherwise criminally profit. In these cases, brute force attacks are illegal. In rare cases, brute force attacks can be legal—if the owner gives written consent for penetration testing to be performed, for example. 

How common are brute force attacks?

Brute force attacks are very common. Research shows that 23 percent of monitored systems experienced security events related to brute force attacks. That’s over 1 in 5 systems. Of the 23 percent affected systems, 95 percent received between 637 and 3.3 billion attempts.  

How does a brute force attack work?

Brute force attacks work by trial and error. A hacker will use an automation tool to test exhaustive lists of login credentials, encryption keys, or site URLs. If the system returns an invalid response, hackers know they’ve entered incorrect credentials. If the system returns a valid response, hackers know they’ve found the correct credential.  

What’s the best protection against a brute force attack?

Since brute force attacks work by submitting many attempts, one of the best ways you can protect your accounts is by limiting login attempts. Systems that lock users out for an hour after five login attempts, for example, can significantly slow hackers’ brute force progress. You can also protect your data through strong passwords, two-factor authentication, using a password manager, online security software, and disabling unused accounts.