What is a brute-force attack?

What are the different types of brute-force attacks?

Different types of brute-force attacks include the following:

• Simple brute-force attack. This attack occurs when a hacker attempts to guess a user's login credentials without using software. The attacker tries different user IDs, passwords and personal identification number (PIN) codes to see if they can break in. These simple attacks still work because many users have weak login credentials that are easy to guess.
• Dictionary brute-force attack. A variation of the simple brute-force attack, cyberattackers still hack by hand but also actively insert special characters, numbers and common phrases from a dictionary to guess passwords and break into an account.
• Hybrid brute-force attack. This attack combines simple brute-force efforts with a dictionary brute-force attack. Cyberattackers often use this hybrid method when they already know the user ID. They then experiment with various password combinations until they find the correct password and can compromise the account.
• Rainbow table attack. Sophisticated hackers use this password-cracking method to obtain user credentials stored in a database. Passwords are encrypted using hashes for added protection. When the user logs in, the password is again encoded with hashes and compared to the hashed version of the password stored in the database. Hackers obtain rainbow tables of the hashed versions of passwords from the dark web. This enables them to decrypt the password hashes to gain access to a password.
• Credential stuffing. This attack occurs when a cybersecurity hacker uses stolen usernames and passwords from one system to gain access to multiple unrelated systems.
• Reverse brute-force attack. This attack begins with the cybersecurity hacker using a common or known password against multiple usernames or encrypted files to gain network and data access. The attacker uses the same algorithm as a typical brute-force attack to find the correct username.

Additional forms of brute-force attacks might involve trying the most commonly used passwords -- such as "password," "admin," "12345678" or "qwerty" -- before trying other passwords.

What are the motives behind brute-force attacks?

The motives behind brute-force attacks vary, but bad actors often seek to do damage in the following ways:

• Distribute malware or spyware. Attackers can use brute-force attacks to compromise systems, spread malware or spyware to collect data to sell, or launch further attacks.
• Financial gain. Attackers can gain access to bank accounts or steal credit card information. They also earn money whenever a website visitor clicks on or views a spam ad.
• Data theft. Sensitive data, such as passwords or financial records, can be sold on the dark web or used for identity theft.
• Damage reputation. Attackers can use a brute-force attack to compromise an organization's networks and damage its reputation.
• Service disruption. Repeated login attempts overload user authentication systems, locking out users and causing system slowdowns or outages.

What is the best way to protect against brute-force attacks?

Organizations can strengthen cybersecurity against brute-force attacks by using a combination of the following strategies:

• Increase password complexity. This extends the time required to decrypt a password. Implementing password manager rules, like minimum passphrase length or using special characters can help make passwords harder to crack.
• Limit failed login attempts. Protect systems and networks by implementing rules that lock users out for a specified time after repeat login attempts.
• Encrypt and hash. Data encryption and password hashes exponentially increase the time and computing power required for a brute-force attack. In password hashing, strings are stored in a separate database and hashed so the same password combinations have different hash values.
• Implement CAPTCHAs. These prevent the use of brute-force attacking tools, like John the Ripper, while still keeping networks, systems and websites accessible to humans.
• Enact two-factor authentication. This type of multifactor authentication adds a layer of login security by requiring two forms of authentication. For example, to sign in to a new Apple device, users must enter their Apple ID and a six-digit code displayed on another device previously marked as trusted.

Brute-force attack tools that harden cybersecurity

The following tools are often used to test network security to ensure they are not susceptible to brute-force attacks:

• Aircrack-ng. This brute-force Wi-Fi password tool can test Windows, iOS, Linux and Android OSes. It attacks wireless networks using a collection of widely used passwords.
• Hashcat. This free CPU-based password cracking tool can strength-test Windows, Linux and iOS from simple brute-force and rule-based attacks.
• L0phtCrack. This open source software is used to test Windows system vulnerabilities against rainbow table attacks.
• John the Ripper. This free, open source tool tests OSes against brute-force and dictionary attacks and can detect weak passwords and improve network security.
• iMobie AnyUnlock. This tool tests the unlocking of screens and passwords on Windows, Mac and iPhone devices.
• CrackStation. This tool tests password hash cracking on Linux, Mac OS and Windows systems.
• Password Cracker. This tool works on Windows systems and tests for hidden passwords.
• RainbowCrack. This tool generates rainbow tables to use for hash and password cracking.

What are examples of brute-force attacks?

• In 2009, attackers targeted Yahoo accounts using automated password cracking scripts on a Yahoo web services-based authentication application thought to be used by internet service providers and third-party web applications.
• In 2015, threat actors breached nearly 20,000 accounts by making millions of automated brute-force attempts to access Dunkin's mobile app rewards program for DD Perks.
• In 2017, cybersecurity criminals used brute-force attacks to access the U.K. and Scottish Parliaments' internal networks.
• In 2018, brute-force attackers cracked the passwords and sensitive information of millions of Cathay Pacific airline passengers.
• In 2018, A Firefox bug exposed the browser's master password to brute-force attacks against insufficient Secure Hash Algorithm 1 hashing left unfixed for almost nine years.
• In 2021, the National Security Agency warned of brute-force password attacks being launched from a specially crafted Kubernetes cluster within Russia's foreign intelligence agency.
• In 2021, hackers gained access to T-Mobile testing environments and used brute-force attacks and other means to hack into other IT servers, including those containing customer data.
• In 2022, ransomware-as-a-service groups launched financially motivated cybercrime operations that have since attacked companies in all industry sectors.
• In 2023 and 2024, brute force attacks preceded launches of new variants of ransomware attacks that triggered 48 hours after the initial brute force penetration.
• In January 2025, a weeks-long brute-force attack primarily originating from Brazil targeted 2.8 million IP addresses a day, including virtual private networks, firewalls and network gateways.

Passphrases are becoming a popular alternative to passwords, as they offer enhanced security and can be easier for users to remember. Learn how to create a secure passphrase.