Brute force is the process of attempting a large number of possible combinations to find a specific value, such as a password, encryption key, or token. In the context of authentication attacks, brute force typically involves systematically guessing passwords for a user account until the correct one is found. This can be done online against a live login interface or offline against password hashes.

Offline brute-force attacks tend to target password hashes and can be particularly effective if the hashing algorithm is weak or if the password is common, or is a mutation of a dictionary word. Online brute-force attacks are more limited by rate-limiting controls, account lockouts, and monitoring, but they can still succeed if those defences are absent or poorly implemented.

If attackers can guess or derive valid credentials, then they are likely to be able to take over user accounts, reach sensitive data, and establish a foothold that leads to broader compromise. Even unsuccessful brute-force activity can cause operational issues through account lockouts and service degradation.

Brute force attacks are related to password spraying and credential stuffing , but the detection patterns and mitigations differ. Rate limiting, MFA, a strong password policy, and secure token design are all important areas reviewed during web application penetration testing and API penetration testing .

Brute Force

Ready to put your security to the test?