A brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. This is an old attack method, but it's still effective and popular with hackers.

Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years. In fact, IBM reports that some hackers target the same systems every day for months and sometimes even years.

Tools Aid Brute Force Attempts

Guessing a password for a particular user or site can take a long time, so hackers developed tools to do the job faster.

Dictionaries are the most basic tool. Some hackers run through unabridged dictionaries and augment words with special characters and numerals or use special dictionaries of words, but this type of sequential attack is cumbersome.

In a standard attack, a hacker chooses a target and runs possible passwords against that username. These are known as dictionary attacks.

Just as the name implies, a reverse brute force attack reverses the attack strategy by starting with a known password — like leaked passwords that are available online — and searching millions of usernames until it finds a match.

Automated tools are also available to help with brute-force attacks, with names like Brutus, Medusa, THC Hydra, Ncrack, John the Ripper, Aircrack-ng, and Rainbow. Many can find a single dictionary word password within one second.

Tools like these work against many computer protocols (like FTP, MySQL, SMPT, and Telnet) and allow hackers to crack wireless modems, identify weak passwords, decrypt passwords in encrypted storage, translate words into leetspeak — "don'thackme" becomes "d0n7H4cKm3," for example — run all possible combinations of characters, and operate dictionary attacks.

Some tools scan pre-computed rainbow tables for the inputs and outputs of known hash functions — the algorithm-based encryption method used to translate passwords into long, fixed-length series of letters and numerals.

GPU Speeds Brute Force Attempts

Combining the CPU and graphics processing unit (GPU) accelerates computing power by adding the thousands of computing cores in the GPU to the processing to enable the system to handle multiple tasks simultaneously. GPU processing is used for analytics, engineering, and other computing intensive applications and can crack passwords about 250 times faster than a CPU alone.

To put it in perspective, a six-character password that includes numbers has approximately 2 billion possible combinations. Cracking it with a powerful CPU that tries 30 passwords per second takes more than two years. Adding a single, powerful GPU card lets the same computer test 7,100 passwords per second and crack the password in 3.5 days.

Steps to Protect Passwords for IT Specialists

To make it harder for brute force attacks to succeed, system administrators should ensure that passwords for their systems are encrypted with the highest encryption rates possible, such as 256-bit encryption. The more bits in the encryption scheme, the harder the password is to crack.

Administrators should also salt the hash — randomizing password hashes by adding a random string of letters and numbers (called salt) to the password itself. This string should be stored in a separate database and retrieved and added to the password before it's hashed. By doing this, users with the same password have different hashes. Additionally, administrators can require two-step authentication and install an intrusion detection system that detects brute force attacks.

Limiting the number of attempts also reduces susceptibility to brute-force attacks. Allowing, for example, three attempts to enter the correct password before locking out the user for several minutes can cause significant delays and cause hackers to move on to easier targets.

How Users Can Strengthen Passwords

When possible, users should choose 10-character passwords that include symbols or numerals. Doing so creates 171.3 quintillion (1.71 x 1020) possibilities. Using a GPU processor that tries 10.3 billion hashes per second, cracking the password would take approximately 526 years, although a supercomputer could crack it within a few weeks.

Not all sites accept such long passwords, however, which means users should choose complex passphrases rather than single words. It's important to avoid the most common passwords and to change them frequently.

Installing a password manager automates password management, allowing users to access all their accounts by first logging into the password manager. They can then create extremely long and complex passwords for all the sites they visit, store them safely, and they only have to remember the one password to the password manager.

To test passphrase strength, users can visit

Related articles:

Related products:

What's a Brute Force Attack?

A brute force attack is an attempt to crack a password or username using a trial and error approach. This is an old attack method, but it's still effective and popular with hackers.
Kaspersky Logo