Safeguard
Vulnerability Analysis

What is a Brute Force Attack

A brute force attack guesses credentials until one works. Learn how attackers execute it, real breach data, warning signs, and effective defenses.

Yukti Singhal
Security Analyst
7 min read

A brute force attack is a method of gaining unauthorized access to an account, device, or system by systematically trying every possible password, key, or credential combination until one works. Unlike phishing or malware, it requires no social engineering — just computing power, time, and a target that doesn't rate-limit or lock out failed attempts. Attackers automate the guessing with tools like Hydra, Medusa, or custom scripts, testing thousands to billions of combinations per second depending on the encryption or hashing involved. In 2016, the Mirai botnet compromised roughly 600,000 IoT devices by brute-forcing a list of just 61 default username/password pairs over Telnet. In 2012, attackers cracked 6.5 million unsalted SHA-1 password hashes stolen from LinkedIn within days using offline brute force. Modern variants — credential stuffing, password spraying, dictionary attacks — trade raw exhaustiveness for statistical efficiency, but the underlying premise is the same: guess until you get in.

What Is a Brute Force Attack, Exactly?

A brute force attack is any technique that relies on trial-and-error submission of credentials rather than exploiting a logic flaw or tricking a user. The attacker (or their botnet) submits login attempts — usernames, passwords, PINs, API keys, or encryption keys — against an authentication endpoint, SSH service, RDP port, or encrypted file, repeating until a valid combination is found. Speed depends entirely on what's being attacked: a 4-digit PIN has only 10,000 possibilities and can be exhausted in seconds, while an AES-256 key has roughly 2^256 possibilities, computationally infeasible to brute force with current technology. Real-world brute forcing rarely targets strong cryptographic keys directly; it targets weak, reused, or default passwords sitting in front of them. NIST SP 800-63B explicitly calls out brute force and dictionary attacks as a reason to enforce rate limiting and screen passwords against known-breached lists rather than relying on complexity rules alone.

How Do Attackers Actually Carry Out a Brute Force Attack?

Attackers carry out brute force attacks with automated tools that submit login attempts far faster and more persistently than any human could. Tools like Hydra, Medusa, John the Ripper, and Hashcat support dozens of protocols — SSH, RDP, FTP, HTTP forms, SMB — and can be pointed at a target with a wordlist or a full charset generator. Hashcat, when running offline against a captured hash on a modern GPU rig, can test billions of MD5 guesses per second; even bcrypt or PBKDF2, which are deliberately slow, only push the timeline from seconds to weeks rather than making an attack impossible. Online attacks against live services are throttled by network latency and any defenses in place, so attackers commonly distribute the workload across botnets to spread requests across thousands of source IPs and evade simple rate limiting or IP-based blocking. Cloud providers report this pattern constantly: AWS, Azure, and Google Cloud each publish guidance specifically about brute force attempts against exposed SSH (port 22) and RDP (port 3389) instances, because internet-wide scanning tools like Shodan make discovery of open ports trivial within minutes of provisioning.

How Is a Brute Force Attack Different From Credential Stuffing or Password Spraying?

A brute force attack tries many possible passwords against one account, while credential stuffing and password spraying flip that ratio to evade detection. Credential stuffing takes credentials already leaked in prior breaches — like the 2019 "Collection #1" dump of 773 million email/password pairs — and replays them across many unrelated sites, betting on password reuse rather than guessing anything new. Password spraying tries one or a handful of common passwords (think "Winter2024!" or "Password123") against thousands of different accounts in an organization, staying under the per-account lockout threshold that would trigger an alert for classic brute forcing. Microsoft's Digital Defense Report tracked over 4,000 password-based attacks per second against Microsoft Entra ID accounts in 2023, the large majority of which were spraying and stuffing rather than exhaustive single-account brute forcing. All three fall under the "brute force family" in frameworks like MITRE ATT&CK (T1110, with sub-techniques T1110.001 through T1110.004 covering each variant), because the defensive controls — rate limiting, MFA, breached-password screening — overlap heavily.

How Common Are Brute Force Attacks in Real-World Breaches?

Brute force and credential-based attacks remain one of the most consistently used breach vectors tracked in the industry. Verizon's 2024 Data Breach Investigations Report found that stolen or brute-forced credentials were involved in 24% of breaches overall, and credential abuse has ranked among the top three initial access vectors in every DBIR since the report began tracking attack patterns systematically. Basic web application attacks — the DBIR category that includes brute force and credential-based logins — showed stolen credentials as the leading attack method for over a decade running. Outside of web apps, brute forcing remains the default first move against exposed remote access: the SANS Internet Storm Center and multiple honeypot studies consistently show SSH and RDP ports receiving credential-guessing traffic within minutes of being exposed to the public internet, often from IP ranges tied to known botnets. Ransomware operators particularly favor RDP brute forcing as an entry point; several major ransomware incident response reports have cited exposed, weakly-protected RDP as the initial foothold in a substantial share of investigated cases.

What Are the Warning Signs of a Brute Force Attack in Progress?

The clearest warning sign is a spike in failed authentication attempts against one or more accounts in a short window, often from a wide or rotating set of source IPs. Security teams should look for repeated 401/403 responses on login endpoints, a sudden surge in "invalid password" events in authentication logs, failed attempts against usernames that don't exist (a sign of automated guessing rather than a user mistyping), and login attempts arriving faster than a human could type — sometimes hundreds per second against a single endpoint. Password spray campaigns show a different signature: a low, steady trickle of failed attempts spread across many accounts, deliberately staying below any single account's lockout threshold, which is why per-account alerting alone misses them and organizations need aggregate, account-agnostic detection. SIEM rules built on MITRE ATT&CK T1110 and its sub-techniques, combined with impossible-travel and geo-velocity checks on successful logins that follow a burst of failures, catch most real-world brute force activity before attackers reach a working credential.

How Can Organizations Defend Against Brute Force Attacks?

The most effective defense is layering rate limiting, account lockout, multi-factor authentication, and breached-password screening so that guessing stops being economically viable. Rate limiting and progressive delays (adding seconds of latency after each failed attempt) turn an attack that would take hours into one that takes years; NIST SP 800-63B recommends this over arbitrary lockout policies alone, since lockouts can themselves be abused for denial-of-service against legitimate users. MFA is the single highest-leverage control, since even a correctly guessed password fails without the second factor — Microsoft has reported that MFA blocks the overwhelming majority of account compromise attempts it tracks. Screening new passwords against lists of known-breached credentials (as NIST now recommends instead of forced complexity rules) closes the gap that dictionary and credential-stuffing attacks rely on. For infrastructure, disabling password auth on SSH in favor of key-based authentication, closing RDP to the public internet, and putting remote access behind a VPN or zero-trust gateway removes the exposed target entirely rather than just slowing the attack against it.

How Safeguard Helps

Safeguard helps security teams find and close the exposures that make brute force attacks viable before attackers ever get a chance to guess. Griffin AI continuously scans infrastructure-as-code and deployed configurations to flag exposed SSH, RDP, and admin login endpoints lacking rate limiting, MFA enforcement, or lockout policies, and prioritizes them using reachability analysis so teams fix internet-facing, actually-exploitable exposures first instead of chasing every theoretical misconfiguration. SBOM generation and ingest give teams visibility into authentication libraries and dependencies with known weak-credential-handling defaults, surfacing them alongside the services that actually use them. When Safeguard identifies a fixable weakness — a missing rate limit, a default credential left in a config, an outdated auth library — it can open an auto-fix pull request with the remediation already drafted, cutting the time between detection and a closed exposure from weeks to minutes.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.