My IP Help

Brute Force Attack

Also known as: Brute-force attack, Password guessing attack

An attack that tries a large number of passwords, keys, or codes against a login or encryption endpoint until one works.

Last updated:

What is a brute force attack?

A brute force attack systematically submits candidate passwords, keys, or codes against a target — a login form, an SSH server, a password-protected archive, an API key check — until one succeeds or the candidate list is exhausted. The attacker does not exploit a vulnerability in the code; they simply exploit the fact that the authentication endpoint accepts attempts and the password is guessable within a reasonable budget.

Common brute force variants

  • Pure brute force — exhaustively try every combination in a keyspace. Only feasible against short passwords or weak ciphers.
  • Dictionary attack — try a list of common passwords (password123, qwerty, leaked-password wordlists). Much faster than pure brute force and effective against most human-chosen passwords.
  • Hybrid — combine a dictionary with small mutations (append years, swap letters for numbers).
  • Credential stuffing — try username-password pairs from data breaches against other services where the same users may have reused the same password.

Bulk brute force is often distributed across a botnet so each source IP stays under the rate-limit threshold of the target.

How brute force traffic is detected

Defenders look for a high ratio of failed-to-successful logins from a single IP, CIDR block, or ASN, plus the familiar fingerprint of SSH scanning on port 22 or repeated 401/403s on login endpoints. Rate limiting, account lockout, CAPTCHA, and MFA all raise the cost of brute force enough to make most automated campaigns uneconomic. Checking source IPs in an IP abuse report checker confirms whether an attacker is already known to other targets.

Frequently Asked Questions

It depends entirely on the password length, character set, and whether the attacker is hashing offline or submitting online. An 8-character lowercase password (~26^8 = 2 trillion combinations) can be cracked in seconds against a stolen MD5 hash with modern GPUs, but might take years if the attacker has to submit each guess to a rate-limited login form. Strong modern hashes (bcrypt, Argon2) push offline cracking from seconds to centuries for the same password — choice of password storage matters more than password length alone.
Brute force generates passwords from scratch — exhaustive search, a dictionary, or hybrid mutations — and submits them against a target. Credential stuffing replays already-valid username/password pairs from prior data breaches against unrelated services in the hope users reused them. Stuffing is much faster (one attempt per pair, not millions) and harder to detect because the successful logins look normal. Both attacks distribute themselves across botnets to evade per-IP rate limits.
Per-IP rate limits stop naive single-source attacks but not distributed ones — attackers spread submissions across thousands of botnet nodes or residential proxies so no single IP triggers the threshold. Effective brute-force defense layers per-IP limits with per-account limits (lockout after N failures against the same username from any source), CAPTCHA on anomalous traffic, IP-reputation feeds, and most importantly MFA — which neutralizes the attack even when a password match occurs.
Effectively yes for the password phase, because even a correct password fails at the second-factor challenge. The attack surface shifts to the second factor itself: SMS codes can be intercepted via SIM swapping or phishing kits, push approvals can be exhausted by "MFA fatigue" attacks, and TOTP codes can be relayed through real-time phishing pages. App-based TOTP, hardware keys, and passkeys are the strongest defenses — they shift attacker effort from "guess a password" to "compromise a physical device".
A hybrid attack combines a base dictionary of common passwords with small mutations — appending years (`password2024`), capitalizing the first letter, swapping letters for numbers (`p@ssw0rd`), or pairing two dictionary words. It is far more efficient than pure brute force because most human-chosen passwords are minor variations on a theme rather than truly random strings. Modern cracking tools (Hashcat, John the Ripper) implement hybrid rules natively and can process billions of variations per second on a single GPU.
Back to glossary