What is a brute-force attack?

A brute-force attack is a method of attack in which a high level of computing power is used to crack secure accounts by repeatedly and systematically entering many different user passwords and combinations.

Procedure of a brute force attack


A definition of brute-force attack

Cracking passwords by brute force has, for years, been part of the standard repertoire of hackers, penetration testers, cyber forensics experts, and even cybercriminals. Using automated tools and powerful hardware, simple login credentials can be “guessed” in a short time. However, the stronger passwords and encryption become, the more computing power and time are required in the brute-force method.

Code on a screen


How does a brute-force attack work

Brute-force attacks usually require powerful computer systems and automated tools, which, when used together, enable the high-speed calculation of as many solutions as possible to then decrypt the sought after account information. The success of a brute-force attack depends largely on the strength of the passwords being used and whether any additional account information is already available. If, for example, specific parts of the password or the exact number of characters are already known, this significantly lowers the number of possible combinations, making it easier to attack. Depending on how much information is known, a differentiation must be made among the different kinds of brute-force attacks.


What kinds of brute-force attacks are there?

Depending on the approach, there are a number of brute-force attack methods to choose from. The amount of information about the credentials being sought plays a key role.

Traditional brute-force attack

It is called conventional brute force if no information is available about the passwords or account names and the attackers are simply testing every possible combination of login credentials. The more powerful the hardware used, the faster passwords can be cracked. Special graphics cards are very well suited to solving cryptographic puzzles. This is why they are mainly used for mining digital currencies such as Bitcoin, since the hardware requirements are similar.

Credential stuffing

In credential stuffing, all of the credentials are already known, but not the service or platform they are used for. In this brute-force method, attackers take advantage of convenience on the part of users. Since, despite periodic warnings, many users still use the same email and password combination for multiple services, it is easy for cybercriminals to take control over a number of accounts once this information is known. Most stolen account info comes from hacks perpetrated on internet services. Whole lists of these records are being traded on the darknet. In order to act as quickly as possible and evade detection, attackers rely on botnets, which make countless concurrent login attempts in disguise, concealed behind a lot of different IP addresses.

Credential cracking

Unlike credential stuffing, in attacks employing credential cracking, all of the account credentials are not yet known. Attackers have the user name for a specific payment account, for example. But they don’t have the password. To get the password, attackers can either successively work through the passwords on lists of the most commonly used passwords or compute a completely random key. Botnets are again generally used to conceal and speed up the attacks.

Rainbow table attacks

Even if attackers have access to the passwords stored on the system, they are not normally stored in plain text, but only as hashes. “Rainbow tables” include the hash values of the most commonly used passwords. The passwords can be found by automatically comparing this data.

Dictionary attacks

As the name suggests, dictionary attacks employ existing lists of common user names and passwords to crack digital accounts.


What tools are used in brute-force attacks?

In addition to having the most powerful hardware possible, the software being used also plays an instrumental role in successful brute-force attacks. A number of common cracking tools have become popular among security specialists and cybercriminals alike:


The Aircrack-ng name is behind a full suite of tools used to detect vulnerabilities in wireless networks. The software can be used on Windows, Linux, iOS, and Android. The program uses a dictionary of widely used passwords to crack Wi-Fi networks.

John the Ripper

John the Ripper (JtR for short) is an open source tool used to test authentication devices and is available for a variety of operating systems. The software uses a dictionary of the most commonly used passwords to test every possible login combination.


L0phtCrack is a password auditing and recovery application used to test password strength and sometimes to recover lost Microsoft Windows passwords by using dictionary, brute force, hybrid attacks, and rainbow tables.


Hushcat is primarily a password recovery tool that was originally proprietary but has since 2015 been developed as open source available for Linux, macOS, and Windows. The software recovers passwords based on their specific hashes.


This software is a free brute-force tool for Apple’s macOS. It was originally created as a hash extractor but has since evolved into a standalone password cracker.


Ncrack is a penetration testing tool used to crack network authentication quickly. It is designed to help companies maintain password security.


Brutus is a free password cracker written originally to help check routers and other network devices for default and common passwords. The software supports HTTP (Basic Authentication), HTTP (HTML Form/CGI), POP3, FTP, SMB, and Telnet.


Hydra is a login cracker which supports multiple concurrent connections and protocols. Penetration testers can use it to take a close look at multiple passwords on different systems simultaneously.


What risks do brute-force attacks pose?

In general, brute-force methods make it possible for attackers to compromise company accounts and systems. Depending on login options and hardware, even complex system encryption on mobile devices such as smartphones and notebooks can be cracked by brute force. Considerable harm may come from sensitive data records getting into the wrong hands. If the data wasn’t being properly secured, there might also be fines to face for lack of IT security and breaches of data protection law.

Credential stuffing and credential cracking have since become lucrative sources of income for cybercriminals on the internet. The online accounts hijacked by these methods are being sold at high prices on the darknet and are usually the starting point for more advanced cyberattacks. Attacks of this kind have serious consequences for companies. If attackers are able to take over the accounts of customers in spectacular fashion, any affected company can expect lower revenues and prolonged damage to their image.

Lock and globe


How can companies protect themselves from brute-force attacks?

Initially, strict password policies are recommended to prevent data leaks from brute-force attacks. Strong passwords use special characters and must be at least a certain length. Each password may also only be used for a single account. The use of password managers is recommended either locally on the system, hosted on the internal company network, or on a cloud service.

Bot management systems provide additional security for online accounts. These tools automatically detect suspicious login attempts by bots, helping to fend off credential stuffing and credential cracking attacks.

Code on a screen


What you need to know about brute-force attacks

Brute-force attacks are used to gain secure access to systems even without the required login information. To do this, attackers use automated tools and powerful systems to crunch the missing passwords. As the complexity of login credentials grows, the effort involved in brute-force attacks also increases significantly. If, however, parts of the login name and password are already known, this makes the process much easier. Security researchers and penetration testers, but also cybercriminals, use brute-force attacks. Sub-methods such as credential stuffing have become the most popular types of attack carried out by internet scammers.

Having strong passwords and using bot management systems online are the best protection from brute-force attacks – the latter help identify and block suspicious requests from bots. Myra Web Security’s Deep Bot Management also consists of such a solution to reliably direct harmful traffic away from your website.

Find out more about Myra Deep Bot Management