Security Encyclopedia

Brute Force Attack

A Brute Force Attack is an attempt to utilize the power of computers to match a credential, such as a password. Such an attack involves the automated spraying of all possible character combinations and lengths into a password field until a match is made. Brute force attacks are successful when an online service's authentication protocol complements this kind of assault. Shared secrets between the service and user offers the best hope for success a brute force attacker can have.

Other features that contribute to brute force attacks' success are when part of the secret (e.g. the username, or its naming convention) is already known. In addition short, noncomplex passwords, single factor authentication, two factor authentication based on shared secrets, also increase brute force attack viability. Countermeasures to brute forcing credentials include increased password length, complexity, and rotation; esoteric naming conventions for usernames; strong public-key infrastructure; adoption of biometrics (tokenized and not); and abandoning the shared secret model of user authentication. Brute force attacks are levied against other crypto keys if the encryption is deficient.

Some experts assert that the commercial availability of quantum computing poses a threat to all encryption. However, broad access to quantum computing is decades away and will also give rise to quantum-resistant encryption.


"Some of our users suffered a brute-force attack last year, so our security team decided to enforce passwordless multi-factor authentication. Since then, we've seen a 99% reduction in brute force attacks on our users."