What Is a Brute Force Attack?

A brute force attack is a trial-and-error tactic used by hackers to crack login credentials, encryption keys, and hidden URLs. As implied by their name, brute force attacks use brute force techniques in the form of endless login attempts to gain unauthorized access to private accounts, sensitive files, organizations’ networks, and other password-protected online resources. This is achieved by employing bots that continuously try different combinations of usernames and passwords to break into accounts.

Despite having been around for decades and being relatively simple, brute force attacks remain quite popular and are still commonly used by hackers to commit account takeover (ATO) due to their effectiveness. Brute force attacks are simple but  effective, because they do not rely on compromised credentials at all – rather, their success hinges on weak, easily-guessed passwords. This is easier than it should be, given poor password hygiene overall – the majority of individuals use only 3 unique passwords across multiple logins, and 12% of people use the same password for everything. The most commonly used password on the web is still “123456” and things like “qwerty” and “password” appear in the top five as well ¹.

It might be difficult to appreciate the consequences of a brute force attack until seeing what criminals do if they are successful. Oftentimes, a brute force attack is the just first step in a much larger cybercrime like a major breach or online fraud.

Here are some typical goals that criminals might have when committing brute force attacks:

Commit Identity Theft

Once cybercriminals break into an online account with a brute force attack, they have access to all the information needed to commit identity theft. With compromised identities in hand, fraudsters can perpetrate more advanced crimes such as ATO and new account fraud (NAF). 

With ATO, fraudsters use stolen credentials to gain unauthorized access to a victim’s existing accounts, such as banking apps, email, or social media profiles. Once inside, they can change account details and make unauthorized transactions. 

When it comes to NAF, criminals use stolen identities to create new accounts in the victim's name. These new accounts can include lines of credit, loans, or even utility services – causing significant financial distress for the victim.

Track User Activity

Once a fraudster accesses a network with a brute force attack, they can freely monitor user activity. As criminals gather more information about the person in question, they can use the data to perpetrate more serious crimes.

An example would be a fraudster gaining access to the email account of a financial services executive. Once inside, the criminal monitors email exchanges and waits until a major transaction occurs. At the perfect time, the bad actor sends a fraudulent wire transfer link from the compromised email account. The crime is completed when the financial services client is tricked into transferring a large sum of money into a fraudulent account.

Perpetrate Malware Attacks

Successful brute force attacks also set the stage for fraudsters to launch malware. In these situations, criminals might redirect website traffic to a malicious site designed to steal sensitive information. Or, they may directly infect a site with hidden spyware. 

Fictitious sites are meticulously crafted to resemble legitimate websites, making it difficult for users to recognize the difference. When redirected to these websites, users are tricked into entering personal information such as credit card numbers. 

When they infect a website with spyware, fraudsters secretly collect personal data like browsing habits and keystrokes. In some instances, the harvested data is sold to advertisers without user consent to enhance targeted marketing efforts.

Vandalize Websites

When an attacker gains access to a website via a brute force attack, it also opens the door to the site being vandalized. In these instances, cybercriminals often deface the site with offensive or inappropriate content. In turn, this content tarnishes the organization’s reputation and drives away visitors and customers.

From time to time, attackers demand a ransom to restore the defamed website to its original state. This type of extortion leverages the need of a website owner to regain control of their online presence.

There are multiple different types of brute force attacks, all of which can be used to gain unauthorized access to online resources.

Simple Brute Force Attacks – Attackers attempt to guess a user’s password entirely on their own, without using any software programs to do so. These attacks work when implemented against users with weak passwords that are easy to guess, like “password”, “1234567890”, or “qwerty”.

Dictionary Attacks – These are the most basic form of brute force attacks. An attacker tests as many passwords against a targeted username as possible. This genre of brute force attacks is referred to as “dictionary attacks” since attackers run through dictionaries while testing passwords, often modifying words to include numbers and special characters.

Hybrid Brute Force Attacks – This attack strategy often uses a combination of simple brute force attacks and dictionary attacks. Attackers use logically guessed words and phrases paired with different combinations of letters and characters to crack an account. Examples of passwords used in this type of attack include popular combinations like “Houston123!” or “Bailey2022”.

Reverse Brute Force Attacks – With reverse brute force attacks, the attacker already knows about an existing password. They then work in reverse by testing out millions of usernames against that password to find a matching set of credentials. In many cases, the hackers use passwords that resulted from a breach and are easily accessible online.

Credential Stuffing – Also known as “credential recycling,” credential stuffing is an upgrade on standard brute force attacks. Attackers test username and password combinations that have been leaked or stolen from the dark web and other websites. This technique works for attacks against users who have reused their login credentials across multiple online accounts – which is unfortunate, as 72% of users admit to reusing passwords.

With high-volume assaults like dictionary attacks, fraudsters leverage sophisticated password-cracking tools to guess credentials, penetrate networks, and steal information. Due to the sheer amount of data involved, this type of attack would be infeasible without such powerful tools. Commonly used attack mechanisms include:

• Cain and Abel: A password recovery tool for Microsoft Operating Systems that can be employed by fraudsters to crack Windows user passwords.

• John the Ripper: A powerful dictionary attack mechanism that works with a variety of operating systems - including Unix, MacOS, Windows, and more.

• Medusa: A password recovery tool that works with Windows, Linux, and MacOS - it is capable of executing a variety of brute force attacks.

• Hashcat: A password recovery tool that works with Windows, Linux, and MacOS - it is capable of executing a variety of brute force attacks.
  

• Aircrack-ng: This dictionary attack device targets wireless networks. It is compatible with Windows, Linux, iOS, and Android.

• DaveGrohl: An open-source attack mechanism used specifically for penetrating MacOS networks that can be distributed across several computers.

• Crunch: A wordlist generator that creates custom password lists. Crunch is commonly used in conjunction with another tool like Medusa to conduct the actual brute force attack.

While this list is not exhaustive, it provides a few key examples of brute force attack tools that cybercriminals can easily access online.

With each passing year, online service providers and users alike fall victim to brute force attacks. To perpetrate these crimes, fraudsters continue to exploit new attack surfaces and invent new mechanisms for cybercrime.

Some key examples of brute force attacks include:

Cisco Talos Issues Brute Force Attack Threat Advisory

In April 2024, the leading threat intelligence group Cisco Talos issued a threat advisory highlighting a global surge in brute-force attacks on a variety of services – including both VPN and SSH services.³ In their threat advisory, they noted an uptick in attacks in March 2024 that targeted various VPN brands across different regions. 

As Cisco Talos explains in the post, “The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry.”³ Affected services include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, MikroTik, DrayTek, and Ubiquiti.

Compromised WordPress Websites

In March 2024, the cybersecurity media platform The Hacker News reported a surge in brute force attacks on WordPress websites.⁴ In the most recent iteration of these attacks, threat actors leveraged malicious JavaScript injections. As Hacker News explains, “The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.”⁴

These distributed attacks target WordPress websites from unsuspecting visitors' browsers. Instead of drainers, the latest rounds of brute force attacks use a list of compromised credentials to attack WordPress sites. The five-stage attack process involves acquiring target lists, extracting usernames, inserting malicious JavaScript, deploying attacks via visitors' browsers, and finally acquiring unauthorized access.⁴

Breached Email Accounts of Senior Microsoft Leadership

In January 2024, Russian hackers infiltrated the email accounts of senior leaders at Microsoft with a brute force attack. As Microsoft explains, “the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”⁵

Something noteworthy about the Microsoft breach is the fact that email accounts for senior leadership lacked multi-factor authentication (MFA). While no “customer environments, production systems, source code, or AI systems” were accessed, Microsoft is accelerating its Secure Future Initiative SFI to enhance internal cybersecurity standards.⁵

Passwords present inherent usability shortcomings. While short and simple passwords are easy to remember, they are also weak and easy for brute force attackers to crack. On the other hand, while creating long and complex passwords and frequently changing them can significantly increase security, they are difficult to remember and often increase the likelihood of users reverting back to reusing the same passwords across multiple websites, storing them in insecure ways, and failing to update them often.

With the average person managing 255 passwords between business and personal accounts,² most people have way more passwords to keep track of than ever before. As we’ve mentioned previously, many people reuse credentials across multiple sites or use the same weak credentials across every online account. This creates an easy target for criminals, and if credentials are compromised through phishing or brute force attacks on a site, hackers may also try those same username and password combinations on other sites.

Additionally, the length of time that it takes for a brute force attack to crack a password is a factor of password complexity and the hacker’s computational horsepower, and it can range from just a few seconds to years. Common brute force attack computer programs can check up to a billion passwords per second.⁶ In other words, even though a brute force attack might take years to crack a complex password that you have created, you could still be at risk depending on how relentlessly persistent the attack is.

If history is any indicator, brute force attacks are here to stay and will likely continue to proliferate. Fortunately, multi-factor authentication (MFA) and passwordless authentication are two highly effective ways to mitigate their associated risks. Additionally, a threat detection solution that can spot automated attacks and non-human users is an effective additional layer of security.

Below are three “good”, “better”, and “best” security practices that organizations and individuals can implement to lower the likelihood of falling victim to a brute force attack.

Good – Strengthening Password Security

Using strong passwords that are practically impossible to guess is the easiest (albeit weakest) way to defend against brute force attacks. Best practices when creating new passwords include:

• Using long passwords that are at least 15 characters in length.

• Creating complex passwords that include random strings of characters rather than common words.

• Including combinations of numbers, symbols, and both uppercase and lowercase letters in passwords.

• Never using the same passwords across multiple sites.

• Using password managers that automatically generate strong passwords that users don’t have to remember.

Organizations should protect passwords on the backend through the following security practices:

• Salting passwords before hashing. Salting is the practice of adding random additional characters to passwords before they are hashed.

• Limiting login attempts so that brute force attackers will be thwarted from repeatedly trying to log in after testing just a few unsuccessful username and password combinations.

• A threat prevention solution that can detect automated attacks can effectively identify brute force attack software programs, and an integrated real-time mitigation strategy can ensure these non-human users are unable to test username and password combinations..

Better – Multi-factor Authentication

Requiring multi-factor authentication (MFA) prevents breaches that result from brute force attacks and compromised credentials by adding an additional layer of security. As the name implies, MFA uses two or more factors (otherwise known as “credentials”) in the authentication of a user. These factors must come from at least two of three categories:

• Something you know – The passwords, PINS, or patterns that usually make up the first authentication factor are knowledge-based and can consist of challenge questions such as “What is your mother’s maiden name?”.

• Something you have – Authentication factors in this category verify that you are in possession of a specific thing. Examples include receiving a push notification or a text message on your cell phone or inserting your debit card into an ATM machine.

• Something you are or do – This MFA category usually refers to biometrics, with the most common verification methods being a fingerprint scan, facial recognition, or voice recognition.

When a user is authenticated using factors from at least two of these categories, a much higher level of confidence can be associated with that user. As a result, no matter how a hacker gains access to a user’s credentials – be it through a brute force attack or other means – MFA will render those credentials useless. This is because the hacker will be unable to complete the additional required verification(s) –  be it a push notification or a facial recognition scan – on the actual user’s specific (i.e., trusted) device to let them in.

Best – Passwordless Authentication

Passwordless authentication is another solution that can stop brute force attackers dead in their tracks. It is not a specific product or capability but rather a desired outcome that reduces friction and offsets security risks (such as brute force attacks) by either minimizing or outright eliminating the usability issues typically associated with passwords.

Whereas MFA verifies a user’s identity through extra authentication steps in addition to passwords, passwordless authentication grants access to resources through authentication factors other than passwords, such as email push notifications, email OTPs, QR codes, FIDO security keys, or biometric factors like fingerprint scans and facial recognition. In other words, passwordless authentication renders the efforts of brute force attackers obsolete by eliminating the pitfalls associated with the login credentials that they prey on.

Some of the most prominent benefits associated with MFA and passwordless authentication include:

• Stronger security – By requiring additional authentication factors or outright eliminating passwords, even brute force attackers who have successfully compromised a user’s credentials cannot gain unauthorized access to their account. 

• Better user experiences – These methods allow frictionless, streamlined transactions and reduced customer abandonment rates (particularly for customer identity & access management).

• Improved workforce productivity – Eliminating passwords also eliminates the need for users to reset their passwords if doing so periodically is company policy. This effectively increases productivity by reducing both frustration and downtime among workers.

• Cost savings – These methods reduce the burden on helpdesks and the associated costs whenever a user has forgotten their password. Additionally, since push notification and biometric authentication factors rely on a user’s smartphone, MFA and passwordless authentication also eliminate the costs associated with replacing hard tokens and/or smart cards.

Regardless of your organization’s approach to passwords – in other words, whether you focus solely on strengthening credentials, incorporate MFA, or choose to go fully passwordless – threat prevention solutions play a critical role in stopping brute force attacks. These attacks are generally carried out by automated scripts in order to test a high number of passwords in a relatively short amount of time. Organizations should consider incorporating a threat detection solution that can identify non-human users and automated attacks. This solution should then be integrated into the overall user journey, so that users showing non-human characteristics – such as automated password crackers – can be identified and stopped in real time by initiating the appropriate mitigation measures.

Ping Identity protects organizations from brute force attacks by combining threat protection, no-code identity orchestration, authentication, user management, and adaptive MFA services, as well as single sign-on and passwordless authentication to help organizations build, test, and optimize seamless and secure customer experiences.

To learn more about passwordless authentication, check out the Getting Started on Your Passwordless Journey White Paper.

1 Cybernews.com, Most common passwords: latest 2024 statistics

2 Nordpass, Juggling security: How many passwords does the average person have in 2024?

3 Cisco Talos, Large-scale brute force activity targeting VPNs, SSH services with commonly used login credentials

4 The Hacker News, Hacked WordPress Sites Abusing Visitors’ Browers for Distributed Brute-Force Attacks

5 Microsoft, Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

6 Nordpass, The Ins and Outs of a Brute Force Attack