A brute force attack is exactly what it sounds like: an attacker tries username and password combinations, one after another, at machine speed, until they find one that works. It requires no special knowledge of your system — just patience and automation. A modern consumer GPU can test billions of password hashes per second. Against a weak password and an unprotected login form, that's a matter of minutes.
How brute force attacks work
The basic form is a simple brute force: try every possible character combination in order — aaa, aab, aac — until a match is found. This works against very short passwords (under 6 characters) but becomes impractical for longer ones.
Most real attacks are smarter. Common variants:
- Dictionary attack — instead of random strings, the attacker tries real words, common passwords (from "rockyou.txt" and similar leaked lists), and variations (replacing "a" with "@", adding "123" at the end). Most weak passwords fall here.
- Credential stuffing — the attacker takes username/password pairs from previous data breaches (there are billions of them in circulation) and tries them against your login. If your user used the same password on a breached site and yours, the attacker gets straight in. This is the most common form of account takeover today.
- Password spraying — instead of hammering one account, the attacker tries one common password against thousands of accounts, staying under lockout thresholds. Works well against large user bases where some people inevitably use "Summer2024!".
- Reverse brute force — starts with a known common password and searches for accounts that use it across many services.
What's at stake
A compromised login can mean:
- Customer data accessed or exfiltrated
- Admin accounts taken over — attackers add backdoors, plant malware, redirect email
- Financial fraud via CRM, invoicing or payment systems
- Reputation damage when customers find out
For email accounts in particular, a compromised inbox gives an attacker everything: password resets for every other service, client conversations to exploit for business email compromise, and a launchpad for phishing attacks on your contacts.
How to protect against brute force attacks
1. Use two-factor authentication (the most effective single control)
Even if an attacker guesses or steals the password, they can't log in without the second factor — a code from an authenticator app, a push notification, or a hardware key. 2FA makes credential stuffing and brute force attacks almost entirely ineffective. Enable it everywhere, especially for email, domain registrar, DNS and hosting admin panels.
2. Rate limiting and account lockout
Limit how many login attempts are allowed per IP per time period. After a threshold (5–10 failed attempts), temporarily lock the account or require a CAPTCHA. This makes automated attacks take hours or years instead of seconds. Be careful with permanent lockouts — they can be weaponised to lock out legitimate users.
3. Strong, unique passwords
A 16-character random password defeats dictionary attacks entirely. Use a password manager so every account gets a unique password — this makes credential stuffing useless, since a leaked password from one site doesn't open any other.
4. Monitor for anomalous login activity
Log failed login attempts and alert on spikes. Many platforms (Google Workspace, Microsoft 365, Cloudflare) have built-in anomalous-login detection. A sudden spike in failed logins from many IPs is a clear signal of a password-spray or stuffing campaign.
5. Check if your users' credentials are already exposed
Services like HaveIBeenPwned allow you to check whether email addresses appear in known breaches. If a user's credentials are already in a breach database, they're in the attacker's credential-stuffing lists right now. Prompt them to change their password immediately and enable 2FA.
For website owners: protect your login endpoint
- Never expose admin panels at guessable paths (
/admin,/wp-admin) without additional protection — restrict by IP or require VPN for admin access. - Use a WAF with bot-management rules that can detect and block credential-stuffing patterns.
- Implement CAPTCHA or proof-of-work challenges after a small number of failures.
- Never store passwords in plain text — use bcrypt, Argon2 or scrypt so that even if your database is breached, cracking the hashes takes significant time.
FAQ
How fast can a brute force attack crack a password?
It depends on the password length and the hashing algorithm used to store it. A 6-character all-lowercase password hashed with MD5 can be cracked in under a second on consumer hardware. A 16-character random password hashed with Argon2 would take longer than the age of the universe. Length and algorithm both matter.
Is my site being brute-forced right now?
Almost certainly yes, at some low level — automated bots constantly probe login forms on every reachable site. The question is whether your defences are strong enough that it doesn't matter.
What's the difference between a brute force attack and a data breach?
A brute force attack guesses credentials directly against your login. A data breach is an unauthorised extraction of data from your systems — often the end result of a successful compromise, but can also come from SQL injection, misconfigured storage or insider access.