We may earn a commission when you make a purchase via links on this site.
What is a Brute Force Attack? 4 Examples you need to know
By Tibor Moes / January 2023
Brute Force Attack
What comes to your mind when you hear the words “brute force?” You probably have images of somebody (or something) smashing through defenses with no subtlety or strategy. It’s just attack, attack, attack, until you finally break through.
That’s how brute force attacks work in the world of online security too. A hacker throws everything at the wall in the hope that something sticks. If they get the attack right, they may gain access to materials and sensitive information they shouldn’t be able to see.
This article discusses the different types of brute force attacks and looks at some real-world examples.
Summary: A brute force attack is a trial-and-error approach to guessing somebody’s password. Hackers try a ton of passwords to gain unauthorized access to an account. Eventually, one of those passwords is correct and facilitates the attack. Examples of brute force attacks include dictionary attacks, credential stuffing, and the standard simple brute force attack.
Tip: Having unique and complex passwords for each of your accounts, is a great way to defend against brute force attacks. The best antivirus software and VPN providers frequently include a password manager, which can help you create, store and auto-fill those secure passwords.
What Is a Brute Force Attack?
Hackers use brute force attacks to gain access to online accounts. The attacks involve trial-and-error guesswork designed to crack a user’s password to provide the hacker with access. They often start with the hacker trying different combinations of common passwords before they move on to different versions of leaked passwords.
Brute force attacks are one of the oldest methods in the hacking playbook. Still, they’re exceptionally common, not least because it’s easy for hackers to access the tools needed to launch these attacks.
There are many reasons why somebody might want to do so.
Hackers can use brute force methods to steal personal data, which often gives them access to private accounts and financial information. Some use these attacks to spread malware or inject protected websites with malicious adverts. Other brute force attacks allow the hacker to access your device so they can use it for malicious activities.
Brute Force Attack Types
All types of brute force attacks take a figurative sledgehammer to the challenge of cracking passwords. They require a lot of computing power to make multiple login attempts in a matter of seconds.
Still, there are several brute force attack types, meaning hackers have several options open to them.
Type No. 1 – Simple Brute Force Attacks
There’s nothing complicated going on with these types of attacks.
The hacker uses a bunch of bots and scripts designed to test thousands, or even millions, of passwords in a short period of time. Some scripts can make hundreds of password guesses per second. The scripts tend to focus on common passwords, such as “password” or “12345.” They’ll also mix things up by trying these common passwords with uppercase letters, numbers, and symbols.
Using a strong password that contains plenty of random characters reduces the chances of this type of attack working against you. Otherwise, hackers can keep testing possible passwords until they find the right one.
Type No. 2 – Credential Stuffing
These attacks rely on other people to do the username and password stealing. A hacker purchases leaked passwords via the dark web. They then use the password across a bunch of different websites to try to access to online accounts.
Why do credential stuffing attacks work?
We have tons of websites asking us to set up accounts in the modern era of the internet. Instead of using a different password for each account, a lot of people use the same username and password across every account they have.
That’s a credential stuffer’s dream.
If a hacker gains access to the login details you use for one account, there’s a good chance they can use those details to access other accounts. For example, let’s say you use the same password for your Netflix account and your gaming account. If a hacker gets access to your Netflix password, they can also access your gaming account. And that means they can play your games, buy new games, and even lock you out of the account entirely.
Type No. 3 – Dictionary Attacks
Dictionary attacks are a step up from simple brute force attacks.
Instead of focusing on common passwords, they use common combinations of phrases and words. Early versions of these attacks involved a script literally working its way through a dictionary of words to find something that worked. More modern versions incorporate passwords that have already been leaked, with the script trying different variations to gain access.
Several dictionary attack software packages are available to make these attacks easier to execute. The software packages often work by replacing letters in common passwords with the most likely symbol the user would choose. A good example is the @ sign used in place of the letter A. Most people use that substitute as a unique character, which makes it easier for a hacker to attempt different versions of a password containing the letter A.
Type No. 4 – Password Spraying
A simple brute force attack involves using many password variations to try and access a single account. Password spraying takes the opposite approach. The hacker uses a single password and applies it to many different accounts.
Password spraying allows hackers to crack passwords while avoiding getting locked out of accounts for making too many failed login attempts. These attacks are most often used against accounts that offer single sign-on authentication methods.
Type No. 5 – Hybrid Brute Force Attacks
A hybrid brute force attack combines a simple brute force attack with a dictionary attack. Its success relies on the common practice of combining a word with a series of numbers that mean something to the user. For example, you may use a common word as a password, followed by your date of birth. This means the number following the word usually begins with a 1, which gives the hybrid brute force attack a starting point.
The hacker uses a dictionary to provide the words you might use, with an automated simple attack trying different combinations of four numbers. While the approach still requires a lot of guesswork, hybrid brute force attacks are more efficient than using a simple or dictionary attack alone.
Type No. 6 – Reverse Brute Force Attacks
Most brute force attacks start with the hacker getting hold of a username or account number. These details aren’t much use on their own. A hacker could know the email address used as a username and do nothing with it because they don’t know your password. They use brute force attacks to guess the password associated with the username.
A reverse brute force attack works in the opposite direction.
The hacker already has your password. That means they need to guess your account number, username, or email address, depending on what your online account uses. This is often a faster form of brute force attack because people often use their email addresses or names as usernames. All the hacker has to do is try multiple usernames until they get a hit.
Brute Force Attack Examples
“Okay,” you might think to yourself. “Brute force attacks sound bad. But I don’t use weak passwords. My complex passwords will save me from any hacking attempts.”
Unfortunately, that isn’t always the case.
There are plenty of examples of brute force attacks that show that even companies with huge financial resources can fall victim to data breaches.
The Alibaba Attack
In 2016, hackers used a database containing 99 million usernames and passwords to launch a password spraying brute force attack on Alibaba. The attack was simple. Enter each username and password individually to see which worked.
The result was 20.6 million compromised accounts. In other words, about 20% of the usernames and passwords in the hackers’ database worked.
While Alibaba’s own systems weren’t breached, the company had to absorb the fact that millions of accounts were stolen and there was little it could do about it.
A Brute Force Attack Shuts Down Remote Access for British Parliament
Midway through 2017, officials from Britain’s parliament announced that their network had experienced a sustained brute force attack. The aim was simple. Hack the emails of peers, staff, or members of parliament (MPs).
The attack appeared to be a combination of dictionary and simple brute force, with the hackers trying to access accounts using common and weak passwords. The good news is that parliamentary IT experts discovered the attack quickly. Still, they had to shut down remote access to emails and parliamentary accounts, preventing Britain’s MPs from working.
Later reports suggested that some MPs’ passwords were made available for sale via the dark web.
A Canadian Revenue Agency Attack Compromises 11,000 Accounts
The Canadian Revenue service experienced a brute force attack in 2020 that led to 11,000 accounts getting compromised. Worse yet, these weren’t the accounts of government officials. Instead, they were accounts that Canadian citizens used to access several of the agency’s support services and programs.
This attack was a perfect example of credential stuffing.
The hackers gained access to a list of stolen login credentials used for other types of accounts. They then launched an attack using those details to access the accounts of anybody who used the same password across multiple online accounts.
The Costly Dunkin’ Donuts Attack
Who’d want to launch a brute force attack on Dunkin’ Donuts?
Hackers who realized that the donut franchise has an online app that asks users to enter their payment details.
Using brute force techniques, hackers managed to log in to 19,715 accounts in just five days. Once they’d achieved access, the hackers could use the payment details logged in the accounts to steal money from the unwitting victims.
Dunkin’ Donuts’ response to the attack was the worst imaginable:
It didn’t tell anyone.
Users of the app couldn’t take measures to protect themselves because the donut franchise kept the attack to themselves. Dunkin’ Donuts eventually had to pay $650,000 as part of a settlement for a lawsuit launched against it.
Brute Force Can Still Work
Brute force attacks may be one of the oldest forms of hacking out there. But they’re still effective. Even the most basic brute force attack can compromise accounts due to so many people using weak passwords. And if the account providers don’t have measures in place to limit login attempts, brute force hackers can just keep trying until they get it right.
What can you do to avoid brute force attacks?
By understanding how brute force password cracking techniques work, you can limit the chances of an attack affecting you.
Using strong passwords is a good start. Brute force attacks rely on people not being vigilant. Long and complex passwords are a lot harder to crack than simple passwords that use your name or something related to you.
It’s also a good idea to stop using the same password across multiple websites. Hackers only need to get access to one set of login credentials to access them all if you’re not using a variety of passwords.
Frequently Asked Questions
How do you prevent Brute Force Attacks?
Several techniques can prevent brute force attacks. Limiting login attempts often works because it stops hackers from trying to gain access repeatedly. Using a strong password also makes it less likely that a brute force attack will work.
Are there any good uses of Brute Force Attacks?
Yes! Some IT specialists use brute force methods to test network security. For example, they may use brute force attacks to try and crack their own encryption methods. This gives them an idea of how strong their security systems are.
How common are Brute Force Attacks?
Sadly, brute force attacks are becoming more common as hackers look to steal data. Help Net Security’s data suggests that 206 billion brute force attacks were attempted in the third quarter of 2021 alone. The good news is that most of these attacks failed to get results.
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.
Over the years, he has tested most of the best antivirus software for Windows, Mac, Android, and iOS, as well as many VPN providers.
He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.
This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.
Don’t take chances online. Protect yourself today:
Protect your Devices
Protect your Privacy
Or directly visit the #1: