® 
Brute-force Attack
Definition
In a brute-force attack, an attacker systematically tries all possible combinations of passwords or keys until the correct one is found. This is one of the most direct methods of gaining access.
A brute force attack is a method where an attacker systematically tries all possible combinations of passwords, encryption keys or PIN codes until the correct one is found. Brute force is one of the oldest attack techniques but remains effective against weak passwords. According to Verizon DBIR 2024, credential abuse is involved in over 40% of all data breaches.
How does a brute force attack work?
The attacker uses automated software executing thousands to millions of login attempts per second. Simple brute force tries every possible combination. Dictionary attacks use lists of common passwords. Credential stuffing reuses leaked username-password pairs on other services. Hybrid attacks combine dictionaries with variations. Rainbow table attacks use precomputed hash tables to crack password hashes.
Types of brute force
Online brute force attacks live authentication systems. Offline brute force cracks stolen password hashes without system interaction and is therefore much faster. Password spraying tries a small number of common passwords against many accounts to evade lockout. Reverse brute force starts with a known password and tries different usernames.
Impact on organisations
Brute force attacks are a constant threat for any organisation with online authentication. NIS2 requires adequate authentication measures. PCI DSS sets password policy and lockout requirements.
Protection
Implement MFA on all accounts. Set account lockout after limited failed attempts. Use CAPTCHA for online forms. Implement rate limiting on authentication endpoints. Require strong passwords of minimum 12 characters. Monitor for brute force patterns via SIEM.
How DEFION helps
DEFION tests brute force resilience as part of External Pentests and Web Application Pentests. The team evaluates password policies, lockout mechanisms and MFA implementation.