what is a brute force attack

On the subject of cybersecurity, one term that often comes up is brute force attack. A brute force attack is any attack that doesn’t rely on finesse, but instead uses raw computing power to crack security or even the underlying encryption.

In this article we go over what brute force attacks are, how they work, and how you can prevent it from happening.

What does brute force attack mean?

The real-world equivalent of a brute force attack is getting past a lock not with a lockpick, but rather with a crowbar. It’s noisy, messy, and not very elegant, but it gets the job done.

One good example of how this principle plays out digitally is what’s called a dictionary attack — used in the famous 2012 Dropbox security incident that saw 68 million users’ credentials breached. In this scenario, an attacker will try to guess a password for an online account by having a program try thousands, if not millions, of common words in the hope of getting lucky and finding one that works.

The guesses are based on known passwords and their derivatives, not just dictionary words, and each guess is usually done one by one. All it takes is a system powerful enough to run through the math, over and over again, until the program hits on the right combination of symbols that make up the password for that account.

It should be mentioned that using a digital crowbar in this way isn’t just resource intensive, but also takes up a lot of time. Though entering possible passwords can be done quickly, in just milliseconds, the sheer volume means those milliseconds add up. As a result, the owners of a site often can shut down an attack before it does any real damage — but not always.

Brute force attack examples

Dictionary attacks are just one type of brute force attack, just like crowbars are only one way to break open a lock. Below are some of the more common ones.

Credential stuffing

Credential stuffing attacks are another very basic type. Rather than guess victims’ login information, they instead take known credentials — usually made public in a breach — and then try them on different sites in massive numbers (stuffing them). 

Since many people reuse their username and password — a result of password fatigue as much as anything — this makes credential stuffing a successful attack vector for any cybercriminal trying to make a quick buck.

Password spraying attacks

Password spraying attacks, also known as reverse brute force attacks, take a similar tack. In this case, attackers will have a list of usernames and they will then go down this list using simple passwords, hoping to get lucky. 

This type is especially effective against organizations with sloppy security. Most companies have a set way to generate usernames (combining first and surnames, for example), and admins don’t always make users change the default password (which is often something like password123). If even one user didn’t change their password, the attackers get easy access.

Brute force attack prevention

If you have a sharp eye, you noticed that all the above types of brute force attacks have one thing in common: They all target easily guessed passwords. Therefore if you secure your password, you’re mostly safe from these kinds of brute force tactics.

For example, dictionary attacks can be defended against by using long, random passwords. These will stymie any password generation program since they can’t predict what the next symbol will be. The longer you make them, the longer they’ll take to crack, adding up to billions of years with a 16-character password.

Credential stuffing attacks can be prevented by always using random passwords and never using the same password twice. Even if a breach exposes one of your passwords, you’ll know all your other accounts are safe.

Using these two tactics will also prevent password spraying attacks since these rely on organizations reusing weak passwords. By always using strong passwords in combination with two-factor authentication (2FA), which makes you use a second device to prove your identity, you’ve rendered any password-spraying attempt useless.

How to prevent brute force attacks with Proton

All the above tips are part of a decent password policy, whether you’re a business or an individual. However, to implement them, you’re going to need a password manager, a program that can generate and store passwords for you, and even autofill them as you browse. They are a way not just to improve your online security, but also your quality of life.

A password manager can be so much more, too, which is why we developed Proton Pass. Our password manager has all the basic functionality you need to protect yourself from brute force attacks — including built-in 2FA support that makes this vital feature a lot less hassle — but also offers some unique extras that will help you build a digital identity that will keep you secure from attacks.

For example, when creating accounts you can use hide-my-email aliases, which point to your real email address without revealing it. These make it very hard for most brute force attacks to target you as they won’t have a username that has been used on other accounts. You can also opt to use passkeys on sites that support this state-of-the-art authentication method. Using these, there’s no password to guess, making brute force attacks pointless.

Besides these, we also have a few features that improve your security in more general ways. The best example is end-to-end encryption, which ensures that your passwords are known only to you. Nobody, not even we, know what you’re storing with us. This is great for security, but also promotes greater privacy.

This combination of security and privacy is what makes Proton the leader in this field. As we are entirely funded by subscriptions — no venture capital, no advertisers — we rely on you to keep us in business. As a result, we’ll always put you, our community, first. If that sounds like something you’d like to be a part of, join Proton Pass today.

Protect your passwords
Create a free account

Related articles

Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.
Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • Privacy basics
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su
what is a dictionary attack
Dictionary attacks are a common method hackers use to try to crack passwords and break into online accounts.  While these attacks may be effective against people with poor account security, it’s extremely easy to protect yourself against them by usi