A brute force attack is a type of attack where the attacker tries millions or even billions of username and password combinations until the password is simply not hit. Although this is a very simple type of attack in principle, victims number in the millions around the world.
📝Table of Contents
How does a brute force attack work?
A brute force attack is used to gain access to online accounts or stolen files by guessing usernames and passwords.
During a brute force attack, a computer program works at tremendous speed, trying endless combinations of usernames and passwords until it hits the right combination.
How fast is a brute force attack?
The speed of password cracking depends on:
- The strength of your password
- The computational capabilities of your hardware
Computer programs used for brute force attacks can try from 10,000 to 1 billion passwords per second.
There are 94 numbers, letters and symbols on a standard keyboard. If we were to choose a password of 8 digits, we are capable of creating approximately 200 billion combinations. The fastest hardware in the form of a supercomputer would figure out this password in less than 4 minutes.
The longer and more random the password, the more complex and difficult it is to crack. It takes about 2 hours to crack a 9-character password that contains a special character. A password of the same length but without the special character lasts only 2 minutes.
In comparison, a 12-character password would take three centuries to crack. So in practice, the longer the password, the more difficult it is to guess. The possible combinations of passwords increase rapidly when using all types of characters, i.e. lower and upper case letters, numbers and special characters like dot, comma, dash, etc.
What to take away from this
A simple password made up of only lowercase letters means far fewer combinations than a password made up of random combinations. Therefore, computers don’t need much time to guess this password. Even an ancient Pentium 100 processor can figure out weak passwords in the order of units or even tens of hours; a supercomputer capable of trying a billion passwords per second will then detect a weak password immediately.
The best defense against a brute force attack is to have a strong password that would take so long to discover that it is simply not worth the attackers’ resources to even attempt such a thing. You should choose a password of at least 12 characters, and the more the better.
You can use password managers that create completely random passwords and auto-complete them for you. That way you don’t have to remember them, but the key to all passwords is held by you and you alone. It’s also a very good idea to enable two-factor authentication, where in addition to the password you enter, you also need to verify, for example, your fingerprint or enter a special code.