ADVERTISEMENT

What is a brute force attack & how can you prevent it?

brute force attack featured image
Jack Wherry
Oct 5, 2020 Updated: 28 April 2025 3 min read

Types of Brute Force Attacks

Online Attacks

Offline Attacks

hash fuction model
rainbow table example

Dictionary Attacks

ADVERTISEMENT
dictionary attack model

How to identify brute force attacks

How to Prevent Brute Force Attacks

Prevention For Users

  • Use long, unique passwords. Brute forcing becomes exponentially harder with longer passwords. You can thwart dictionary attacks by making your passwords more unique. If in doubt, use a password manager to automatically generate and save random passwords for each site. Also, check our guide on how to create a strong password.
  • Secure remote desktop connections as much as possible. Remote desktop is a popular way for attackers to get access to your computer. Leave remote desktop off as much as possible. When it’s on, use an extremely strong password.
  • Use two-factor authentication. A brute-force attack is far more difficult when a correct password isn’t enough to log into an account. With 2FA, users need their phone or a physical security key to log into their accounts. This makes your account far more secure.

Prevention For Server Operators

  • Use rate limiting. If you run a server, make sure that hackers can’t try passwords very fast. They might get discouraged and give up if the delay is long enough.
  • Don’t use account lockouts. If you own a website, it might make sense to lock accounts after a certain number of incorrect attempts. However, this lets an attacker perform a denial of service attack by locking out lots of accounts.
  • Secure SSH appropriately. Enable fail2ban, disable password logins (in favor of SSH keys), and turn off root login from SSH.
  • Hash and salt your passwords with modern algorithms. MD5 or another very basic hash algorithm is hardly better than nothing. Use a modern hash function and salt to prevent rainbow table attacks.

Short history and examples of brute force attacks

  • Brute force attacks have been a theoretical possibility since the dawn of modern encryption. They’ve continually become more practical as time goes on.
  • 1977: Scientific paper on brute force attacks on the DES encryption scheme is published (Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard by Whitfield Diffie).
  • 1996: Cryptologist Michael J Weiner publishes the paper Efficient DES Key Search, which continues the process towards efficient offline attacks.
  • 2004: Fail2ban was initially released, making servers easier to secure from brute force attacks.
  • 2007: The first beta version of Aircrack-ng was released. Wi-Fi network hacking became a lot easier.
  • 2013: GitHub users are the victims of an online brute force attack.
  • 2015: Hashcat became free and open-source, opening GPU-accelerated offline brute force attacks to a wider audience.
  • 2016: Alibaba-owned marketplace Taobao suffers an attack, as a result of which more than 20 million passwords are brute-forced.
  • Circa 2017: GrayKey is made available, allowing law enforcement to more easily perform brute force attacks on encrypted iPhones.

Brute force attack tools

  • Hashcat: State-of-the-art offline password cracking. This tool offloads work to the graphics processing unit (GPU), which makes it very fast.
  • Aircrack-ng: Wi-Fi password cracking. Aircrack-ng monitors encrypted Wi-Fi traffic and uses a variety of brute-force-based attacks to find the network password.
  • RainbowCrack: Offline password cracking with rainbow tables. Instead of computing the hash for every possible password, RainbowCrack takes advantage of precomputed hashes.
  • Ncrack: Online network authentication hacking. Hackers who want to attack the Microsoft remote desktop protocol, SSH, or an encrypted email connection can use Ncrack. It also supports attacks other than those involving brute force.

Build your secure personal and business online presence


Frequently asked questions

ADVERTISEMENT