Brute Force Attack

Brute force attacks use computational power to exhaust all possible combinations.

Attack types

• Simple brute force: Try every possible combination.
• Dictionary attack: Try common words and phrases.
• Hybrid attack: Combine dictionary words with numbers/symbols.
• Credential stuffing: Try leaked username/password pairs.
• Rainbow tables: Pre-computed hashes for fast cracking.

Defenses

• Long passwords: Exponentially increase keyspace.
• Account lockouts: Limit failed attempts.
• Rate limiting: Slow down guessing attempts.
• CAPTCHA: Prevent automated attacks.
• MFA: Add second authentication factor.
• Password hashing: Use slow algorithms (bcrypt, Argon2).

Attack speed

• Online: 10-1,000 guesses/second (rate-limited).
• Offline: Billions of guesses/second (GPUs).
• Modern GPU: 158B bcrypt hashes/second (NVIDIA H100).

Time to crack examples

• 8-char password: Minutes to hours (offline).
• 12-char password: Years to centuries.
• 16-char password: Millions of years.