Skip to main content

Brute-Force Attacks: How to Defend Against Them

When you hear the words “brute force," subtlety is probably not the first thing that comes to mind. Indeed, classic brute-force cyber attacks use the most straightforward tactics—trial and error—to gain entry into a protected system.

When brute force works, the attack's type, depth, and severity depend on the attacker's goals. Some will use their access to steal sensitive data or hold it for ransom; others will spread malware to disrupt their victim's operations or assume control of their victim's IT systems and data to engage in illicit activity.

Basically, the type of scheme behind a brute-force attack varies according to the individuals who undertake them. A noteworthy example of a brute-force attack involved Alibaba in 2016 , when perpetrators compromised almost 21 million accounts. Firefox, Magento, and the Northern Irish Parliament have all experienced damaging brute-force attacks of on their organizations as well.

Why Do Brute-Force Attacks Work?

Brute-force attacks succeed when an organization's password policy does not require complex passwords and attackers deploy tools to mount a sustained attack—typically using bots to create and enter a never-ending stream of password guesses. In such circumstances, it's often just a question of time before the bad actor’s bot succeeds.

The longer an attacker remains undetected, the more attempts they can make to breach an organization's defenses. If an organization can’t detect and flag unsuccessful logins within a short period, logins from unknown IP addresses, and logins from new locations, the chance of a successful brute-force attack increases significantly.

What Are the Types of Brute-Force Attacks?

Understanding what a brute-force attack often entails can help your organization take appropriate security mechanisms to detect and prevent such attacks. Here's a brief overview of the most common types of attack:

Knowledge-Based Attacks

Leveraging information gathered about a user from online sources or social engineering, attackers combine the user's data to guess their password. Phishing or spear phishing emails are often used to gather this data.

Dictionary Attacks

Employees often use simple words or phrases to form their passwords. A dictionary attack relies on commonly used words and phrases to guess a user's password.

Credential Stuffing

To make it easier to recall their passwords, users often recycle their credentials. Credential stuffing takes advantage of this practice by using stolen passwords from one site to access another.

Reverse Brute Force

Instead of guessing passwords for a given username, a reverse brute-force attack starts with a common password, like "12345" or "password," and attempts to guess the username.

Hybrid Attacks

Combining knowledge about the intended target and dictionary words and phrases, attackers attempt to guess user passwords. For example, if they know the user's birthday and partner's name, they may combine that information to guess their password.

How Do You Defend Against a Brute-Force Attack?

Preventing a brute-force attack requires relatively straightforward precautions, including the following:

Enforce the Use of Lengthy and Complex Passwords

The longer and more complex a password, the more time and computing power it takes bad actors to guess it. Consider requiring passwords of 8 to 12 characters. The use of upper- and lower-case letters and special characters can add additional complexity and challenges for an attacker to overcome. Complex ones that include diverse character types can take years to crack by brute force for even the most powerful computing infrastructure.

Closeup of "password" on a laptop screen with asterisks hiding the password itself.

Deploy Two-Factor Authentication

If an attacker guesses a user's login credentials, all is not lost. They are still thwarted if you require that the user inputs additional information, such as a one-time password sent to their phone or email. Other forms of two-factor authentication include relying on biometrics, such as face scans or fingerprints. The key factor is adding that extra layer of identification to your organization's defences.

Cap the Number of Failed Login Attempts

Consider limiting the number of failed logins from a single IP address. Some organizations only allow three failed attempts before blocking new attempts; others allow up to five. If a user hits the cap, some businesses also limit additional logins until the user restores their access rights via a phone call. Other companies allow for additional attempts 15 to 30 minutes later, which is less secure but more user friendly.


Brute-force attacks often involve bots. Requiring a CAPTCHA—a challenge–response protocol to verify that a visitor to a site is human—can stop attacks. Regardless of the method of CAPTCHA deployed, adding this layer can prevent bots from running a script, forcing the human threat actor to intervene. You can require a CAPTCHA at the initial login or when attempts reach a certain threshold, which may indicate an automated login attempt.

Educate Employees

Security measures to combat brute-force attacks inconvenience users and potentially trigger resistance, so make sure users understand the potential ramifications of an attack and why the security measures are prudent and appropriate. Increasing employees’ awareness of the threat will also make them more alert and increase the likelihood that they will report any suspicious activity that might be connected to an attack.

Every brute-force attack aims to gain access to your network and data to engage in some form of illicit activity. The likelihood of an attack succeeding increases significantly when the attacker can submit unlimited guesses, when weak passwords are permissible, and when additional challenges and factors are not required to complete a login. Employee education plays an import role in combating brute-force attacks, as their buy-in is necessary to adopt and comply with minimally-invasive yet critical cybersecurity protocols.

For more insight, learn how Arctic Wolf Managed Security Awareness® can empower employees to better defend themselves against attacks like brute-force attacks.

Additional Resources