What is a Brute Force Attack | Attack Strategy, Impacts, and Measures

A brute force attack is a technique to strategically hack passwords to hijack accounts or exploit services. Although it is one of the simplest hacking tactics, there are tremendous numbers of hacking incidents reported every year caused by brute force attacks.

In this article, we will walk through the definition of brute force attack, the attack mechanism, and proper measures to protect against attacks.

Brute Force Attack Definition

Brute Force Attack is a type of cyberattack technique used for hacking passwords by try changing the character one by one until the correct answer is discovered.

If a password is constructed by a finite length of characters from a finite set of values, such a password can be eventually hacked using a Brute Force Attack.

This is one of the reasons why most password input interfaces, such as credit card ATM and web service account, set a limit on the number of times that password entry can be attempted. Usually, after the third incorrect entry, it will lock the access due to potential fraud access.

Without proper measures against brute force attacks, many online accounts, services, and web servers will be easily hijacked by criminal groups.

How does Brute Force Attack Work?

Let's say there is a four-digit lock chain securing a bicycle. A random person comes by the lock and tries to unlock the chain. Starting from 0000, the thief checks the combination by increasing the number to 0001, to 0002, to 0003, and so on.

There is a total of 10,000 combinations to the lock. If the thief takes 1 second to try each number, the lock can be unlocked no more than 2 hours and 47 minutes. This means a four-digit lock chain can be hacked by a brute force attack.

What Harm Can Brute Force Attack Cause?

Without placing protection measures against brute force attacks, there can be many unwanted outcomes that may cause information exposure, service exploit, and even financial damage.

SNS Account Hijack

In case a password of an SNS account was hacked, any information and authorizations associated with the account will be exposed to the hacker.

Harmful messages and actions performed from your account may hurt your representation. The account could be used for conducting criminal activities, such as threatening the public or society, which will lead to much larger issues.

Although the owner of the hijacked account will not be subject to being charged with a crime of the involved criminal activities, there will be unwanted troubles that might take time and effort to overcome.

Web Service Hijack

Web service associated with finances, such as bank account and online shopping, is one of the most common targets of account hijacking. The impact of the unauthorized activities will be much more direct for the account owner and may result in financial damage.

For other web service accounts, including business management and site hosting, will similarly disadvantage from getting hijacked as confidential information may be stolen and get sold on the hackers market.

Many business incidents involved in web service hijacks resulted to pay the tremendous cost to fix the problem over the years.

Information Manipulation

When an attack on a web service or an online server is conducted by a criminal group, information such as client profiles, product sales reports, and financial analysis may get extracted. Website manipulation is also a major problem that impacts the corporation as it publicly demonstrates the lack of security concerns.

Information manipulation does not only cause financial disadvantages but also a decline in trust and reputation. In some cases, the stolen information gets published on the hackers' forum months and years later to be announced by security researches.

How to Protect Yourself from Brute Force Attacks

To apply measures against brute force attacks, password owners must consider approaches from both consumer and service system perspectives.

Strong Password

Making a strong password is truly the best way to defend against brute force attacks.

The definition of a strong password is,

  • Minimum length of 10 characters. We suggest at least 12 characters.
  • Unique password throughout the globe.
  • Only used by a single account.

Most online services consider a minimum of 8 characters as a valid password, while some only require 6 characters.

The password with a length of 8 characters is considered very weak. By using the modern tools and algorithm, 8 character password can now be hacked in 2.5 hours. Adding a single character will increase the computation time to 1 week, and for 10 character password, it will dramatically increase to 4 months.

In 2010, Georgia Tech Research Institute defined a 12 character password is sufficient to defeat modern password hacking. With 12 characters, brute force calculation will take 200 years!

Two-Factor Authentication

Lately, many online services started the implement two-factor authentication to address their security concerns.

With a two-factor authentication system, the user is required to fulfill an additional identity verification after their password input. The second layer of authentication depends on the service. Some will require code input sent to a pre-registered phone number or email address, while others will ask for input based on pre-defined questions and answers.

Because brute force attack is designed solely to hack passwords, and not compatible to break non-password oriented security system. Therefore two-factor authentication is an effective solution to use.

Limit Password Attempts

Brute force attack is a strategy of applying hundreds and thousands of different character combinations in a fraction of seconds.

Programmatically applying input delay or denial based on several incorrect password input attempts can critically decrease the try and error frequency. Windows uses this approach to increase the load time between each password inputs after certain incorrect attempts.

Unauthorized Access Alert

Setting an alert system to send out notifications upon unauthorized access is also an effective way to acknowledge hacking activities.

Gmail is designed to send a message to the email owner when a certain number of login attempts are detected. Furthermore, an alert system can inform unfamiliar access records based on access location and IP address.


We went over the main concepts and mechanisms of brute force attacks. Despite its simple hacking strategy, there are countless incidents that the brute force attack was able to hack a weak password.

Make sure to follow the rules to create a strong password and apply appropriate protections to secure against brute force attacks.