Brute Force Attacks: Password Protection – Kaspersky

What is a brute force attack?

A brute force attack uses trial and error to guess login information, encryption keys, or find a hidden web page. Hackers work through every possible combination in hopes of guessing correctly.

These attacks are done by “brute force”, which means that they use excessive and forceful attempts to try to “force” your entry into your private account(s).

This is an old attack method, but it is still effective and popular among hackers. Because depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years.


What do hackers gain from

brute force attacks?

Brute force attackers have to put in some effort to make these schemes worthwhile. While technology makes it easier, you may still wonder: why would anyone do this?

Here’s how hackers benefit from brute force attacks:

Benefiting from ads or collecting activity data Theft

  • of personal data and valuables
  • Spreading malware to cause disruptions
  • Hijacking your system for malicious activities
  • Ruining a website’s reputation Profiting
  • from

  • ads or collecting activity data


Hackers can exploit one website along with others to earn advertising commissions. Popular ways to do this include:

Putting spam ads on a

  • busy site to make money every time visitors click on an ad or see it
  • .

  • Redirect traffic from a website to commissioned ad sites
  • .

  • Infecting a site or its visitors with activity-tracking malware, commonly spyware. The data is sold to advertisers without your consent to help them improve their marketing.

Theft of personal data and valuables

. Breaking into online accounts can be

like opening a bank vault: everything from bank accounts to tax information can be found online. All it takes is the right theft for a criminal to steal your identity, money, or sell your private credentials for profit. Sometimes, the sensitive databases of entire organizations can be exposed in corporate-level data breaches.

Spreading malware to cause disruptions for the sake of doing so.

If a hacker wants to cause trouble or practice their skills, they can redirect a website’s traffic to malicious sites. Alternatively, they can directly infect a site with hidden malware to be installed on visitors’ computers.

Hijacking your system for malicious activities.

When one machine isn’t enough, hackers recruit an army of unsuspecting devices called botnets to speed up their efforts. Malware can infiltrate your computer, mobile device, or online accounts to send spam (phishing), enhanced brute force attacks, and more. If you don’t have an antivirus system, you may be at higher risk of infection.

Ruining the reputation of a website.

If you run a website and it becomes a target for vandalism, a cybercriminal could decide to infest your site with obscene content. This may include text, images, and audio that is violent, pornographic, or racially offensive in nature.

Types of

Brute Force Attacks

Each brute force attack can use different methods to discover your sensitive data. You may be exposed to any of the following popular

brute force methods: Simple brute force attacks Dictionary attacks Hybrid brute force attacks Reverse brute force attacks

  • Credential
  • stuffing

  • Simple
  • brute force
  • attacks

: Hackers try to logically guess your credentials, completely without the help of software tools or other means. These can reveal extremely simple passwords and PINs. For example, a password that is set to “guest12345”.

Dictionary attacks: In a standard attack, a hacker chooses a target and executes possible passwords against that username. These are known as dictionary attacks. Dictionary attacks are the most basic tool in brute force attacks. While they are not necessarily brute force attacks in themselves, they are often used as an important component for cracking passwords. Some hackers check entire dictionaries and augment words with special characters and numbers or use special word dictionaries, but this type of sequential attack is cumbersome.

Hybrid brute force attacks: These hackers mix external means with their logical guesswork to attempt a robbery. A hybrid attack usually mixes dictionary and brute force attacks. These attacks are used to discover combined passwords that mix common words with random characters. An example of a brute force attack of this nature would include passwords such as NewYork1993 or Spike1234.

Reverse brute force attacks

: Just as the name implies, a reverse brute force attack reverses the attack strategy by starting with a known password. Hackers then search for millions of usernames until they find a match. Many of these criminals start with leaked passwords that are available online from existing data breaches.

Credential stuffing: If a hacker has a username and password combo that works for one website, they’ll try it on tons of others as well. Since users are known to reuse login information on many websites, they are the exclusive targets of an attack like this.

Guessing a password for a particular user or site can be time-consuming, so hackers have developed tools to get the job done faster


Automated tools help with brute force attacks. These use quick guesses that are designed to create as many passwords as possible and try to use them. Brute force hacking software can find a single dictionary word password in a second.

Tools like these have programmed solutions


  • Work against many computer protocols (such as FTP, MySQL, SMTP, and Telnet)
  • Allow hackers to decrypt wireless modems
  • .

  • Identify weak
  • passwords

  • Decrypt passwords in encrypted storage
  • .

  • Translate words to leetspeak: “don’thackme” becomes “d0n7H4cKm3”, for example
  • .

  • Run all possible combinations of characters
  • .

  • Operate dictionary attacks.

Some tools scan pre-calculated rainbow tables for the inputs and outputs of known hash functions. These “hash functions” are the algorithm-based encryption methods used to translate passwords into long, fixed-length series of letters and numbers. In other words, rainbow boards eliminate the hardest part of the brute force attack to speed up the process.

GPU accelerates

brute force attempts

It takes tons of computer brainpower to run brute force password software. Unfortunately, hackers have worked out hardware solutions to make this part of the job much easier.

The combination of the CPU and graphics processing unit (GPU) accelerates computing power. By adding the thousands of compute cores on the GPU for processing, this allows the system to handle multiple tasks at once. GPU processing is used for analysis, engineering, and other compute-intensive applications. Hackers using this method can crack passwords about 250 times faster than a CPU alone.

So how long would it take to crack a password? To put it in perspective, a six-character password that includes numbers has approximately 2 billion possible combinations. Cracking it with a powerful CPU that tests 30 passwords per second takes more than two years. Adding a single, powerful GPU card allows the same computer to try 7,100 passwords per second and crack the password in 3.5 days.

Steps to Protect Professionals’ Passwords

To keep yourself and your network safe, you’ll want to take your precautions and help others do so as well. User behavior and network security systems will need reinforcement.

For both IT specialists and users, you’ll want to take a few general tips seriously:

  • Use an advanced username and password. Protect yourself with credentials that are stronger than admin and password1234 to keep these attackers away. The stronger this combination, the harder it will be for anyone to penetrate it.
  • Delete all unused accounts with high-level permissions. These are the cyber equivalent of doors with weak locks that facilitate theft. Unmaintained accounts are a vulnerability you can’t risk. Dispose of them as soon as possible.

Once you have the basics, you’ll want to beef up your security and get users on board


We’ll start with what you can do on the backend, then give you tips for supporting safe habits


Passive backend protections

for passwords High encryption rates

: To hinder the success of brute force attacks, system administrators must ensure that their system passwords are encrypted with the highest possible encryption rates. such as 256-bit encryption. The more bits there are in the encryption scheme, the harder it is to crack the password.

Exit the hash: Administrators must also randomize password hashes by adding a random string of letters and numbers (called salt) to the password itself. This string must be stored in a separate database and retrieved and added to the password before a hash is applied. When salting the hash, users with the same password have different hashes.

Two-factor authentication

(2FA): In addition, administrators can require two-factor authentication and install an intrusion detection system that detects brute force attacks. This requires users to track a login attempt with a second factor, such as a physical USB key or biometric fingerprint scan.

Limit the number

of login retries: Limiting the number of attempts also reduces susceptibility to brute force attacks. For example, allowing three attempts to enter the correct password before locking the user out for several minutes can cause significant delays and make hackers move to easier targets.

Account lock after

excessive login attempts: If a hacker can keep retrying passwords endlessly even after a temporary lock, they can try again. Locking the account and requiring the user to contact IT for an unblock will deter this activity. Short lock timers are more convenient for users, but convenience can be a vulnerability. To balance this, you can consider using long-term locking if there are too many failed logins after the short.

Speed of acceleration of repeated logins: You can further slow down an attacker’s efforts by creating space between each login attempt. Once a login fails, a timer can deny the login until a short period of time has passed. This will leave time lag for your real-time monitoring team to detect and work to stop this threat. Some hackers may stop trying if the wait isn’t worth it.

Captcha required after repeated login attempts: Manual verification prevents bots from brute-forcing their way into your data. Captcha comes in many types, including retyping text in an image, checking a checkbox, or identifying objects in images. Regardless of what you use, you can use this before the first login and after each failed attempt at additional protection.

Use an IP deny list to block known attackers. Make sure this list is constantly updated by those who manage it.

Active IT support protections for passwords

Password education: User behavior is essential to password security. Educate users on secure practices and tools to help them keep track of their passwords. Services like Kaspersky Password Manager allow users to store their complex and hard-to-remember passwords in an encrypted “vault” instead of insecurely writing them on sticky notes. Since users tend to compromise their security for convenience, be sure to help them put convenient tools in their hands that will keep them safe.

Watch accounts in real-time to detect strange activity: strange login locations, excessive login attempts, etc. Work to find trends in unusual activity and take action to block any potential attackers in real time. Keep an eye out for IP address blocks, account blocking, and contact users to determine if account activity is legitimate (if it looks suspicious).

How Users Can Strengthen Passwords Against Brute Force Attacks

As a user, you can do a lot to support your protection in the digital world. The best defense against password attacks is to make sure your passwords are as strong as possible.

Brute force attacks depend on time to crack your password. So, your goal is to make sure that your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile… Most hackers will give up and move on.

Here are some ways you can protect passwords against raw attacks:

Longer passwords with various types of characters. When possible, users should choose 10-character passwords that include symbols or numbers. In doing so, 171.3 quintillion (1.71 x 1020) possibilities are created. Using a GPU processor that attempts 10.3 billion hashes per second, cracking the password would take approximately 526 years. Although, a supercomputer could crack it in a few weeks. According to this logic, including more characters makes your password even harder to figure out.

Make passphrases. Not all sites accept such long passwords, which means you should choose complex passphrases instead of single words. Dictionary attacks are created specifically for one-word phrases and make a violation almost effortless. Passphrases, passwords composed of multiple words or segments, should be dotted with additional characters and special character types.

Create rules to create your passwords. The best passwords are those that you can remember but won’t make sense to anyone else who reads them. When taking the passphrase route, consider using truncated words, such as replacing “wood” with “wd” to create a string that makes sense just to you. Other examples may include removing vowels or using only the first two letters of each word.

Stay away from frequently used passwords. It is important to avoid the most common passwords and change them frequently.

Use unique passwords for each site you use. To avoid falling victim to credential stuffing, you should never reuse a password. If you want to take your security to a higher level, use a different username for each site as well. You can prevent other accounts from being compromised if one of yours is breached.

Use a password manager. Installing a password manager automates the creation and tracking of your online login information. These allow you to access all your accounts by logging into the password manager first. You can then create extremely long and complex passwords for all the sites you visit, store them securely, and you only have to remember the master password.

If you’re wondering, “how long would it take for my password to crack?”, you can test the strength of the passphrase on

Kaspersky Internet Security received two AV-TEST awards for best performance and protection for an Internet security product in 2021. In all tests, Kaspersky Internet Security showed exceptional performance and protection against cyber threats.

Related articles:

What is

  • adware
  • ?

  • What is a Trojan?
  • Computer viruses and malware Facts and FAQs
  • Spam and phishing

Contact US