ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > Brute force 🔴 Attack

Brute force 🔴 Attack

A brute force attack (or "bruteforce attack" in English) is a hacking method that involves testing a large number of combinations of passwords, security keys and other data. encryption or identifiers until you find the right one.

This technique is based on trial and error and can be used to access user accounts, computer systems or encrypted data. This approach relies on computing power (human or automated) rather than software flaws.

👉 Types of brute force attack

There are various types of brute force attack, including :

  • Simple brute force attack: the attacker tests all possible combinations of characters (letters, numbers, symbols) until the password or key is found. This method works best against weak or short passwords.
  • Dictionary attack: Instead of trying every possible combination, the attacker uses a pre-established list of common passwords (often taken from leaks or specialist dictionaries). Variants can be added (numbers or special characters) to extend the possibilities.
  • Hybrid attack: the attacker combines the two previous methods by testing combinations of common passwords and special characters. This type of attack is particularly effective when the attacker has information about the target (birthdays, names, etc.).
  • Reverse brute force attack : the attacker uses a known password to try to find the associated username or email address. This method exploits the fact that many users reuse the same credentials on several platforms.
  • Credential stuffing : Rather than guessing a password, the attacker exploits a database of compromised credentials to test the same combinations on other services. This technique takes advantage of the fact that users frequently re-use the same credentials.
  • Rainbow table uses pre-calculated hash tables to crack encrypted passwords.

Google - Noto Color Emoji 15.0 (Animated)How it works

A brute force attack generally takes place in several stages:

  1. Information gathering: the attacker gathers information about the target, such as its user name, e-mail address or the type of system it is using.
  2. Choice of attack method: the attacker chooses the most appropriate type of brute force attack based on the information available to him and his objectives.
  3. Preparing for the attack: the attacker uses software tools to automate the attack and generate the password or key combinations to be tested.
  4. Launch of the attack: the attacker launches the attack and tests the combinations generated until the right one is found.
  5. Access to the system or data: once the password or key has been found, the attacker can access the targeted system or data.

📈 Trends

Brute force attacks are a constant threat in the world of cybersecurity. Although they are considered an "old" method of attack, they are still effective, particularly against weak passwords or poorly protected systems.

Current trends are :

  • Use of AI generation of plausible passwords using linguistic models.
  • Attacks on the IoT Exploiting poorly secured connected devices (cameras, routers).
  • Cloud and GPU Rental of cloud computing power or graphics cards to speed up testing.
  • Brute force "low and slow avoids detection by spacing out attempts.

Examples of brute force attacks

  1. Adobe (2013) 38 million accounts hacked using brute force and dictionary attacks.
  2. LinkedIn (2016) 117 million passwords cracked.
  3. Botnet Mirai (2016) Hacking into cameras and routers using default identifiers.
  4. RDP attacks Attacks on remote access protocols exploded during the pandemic.

💉 Remedies and protection

There are a number of steps you can take to protect yourself against brute force attacks :  

  • Use strong, unique passwords: choose long (minimum 12 characters), complex passwords (combination of letters/numbers/symbols), avoid common passwords, different passwords for each account.
  • Activate the double authentication (2FA) or MFA : This measure adds an extra layer of security by requiring a verification code in addition to the password.
  • Limit the number of attempts: configure your systems to block connection attempts after a certain number of failed attempts, if possible with an increasing delay between each attempt, a Captcha or IP authentication.
  • Using a password manager : This tool lets you generate and store strong, unique passwords for all your accounts.
  • Update your systems and software: security updates correct vulnerabilities that could be exploited by attackers.
  • Use a real-time monitoring system

📊 Figures and statistics

  • World :
    • 80% of data breaches involve weak or stolen passwords (Verizon DBIR 2023).
    • RDP (Remote Desktop Protocol) attacks increased by 768 % in 2020 (ESET).
  • France :
    • 30 % of cyber attacks in relation toANSSI in 2022 used brute force methods.
    • Sectors most affected: healthcare, SMEs, local authorities.
Back to Glossary

field of training

Cybersecurity

associated training

Systems and network security, level 1

Hacking and security, level 1

Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity