Brute-force attack is an attempt to guess a secret – e.g. password or encryption key – by systematically checking every possible option.
A brute force attack against an encryption system attempts to decrypt encrypted data by exhaustively enumerating and trying encryption keys. Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. Well designed and implemented cryptosystems make the brute force attack option infeasible, as they ensure that probability of success is negligibly small by using long encryption keys that are difficult to successfully guess.
A brute force attack against a password system attempts to exhaustively enumerate and try all password combinations. The increasing computational power of computers makes it computationally practical to guess longer and longer passwords. To overcome this, password length and complexity requirements can be introduced, making guessing impractical again.
Brute-force attacks can take place offline or online. In case of an offline attack, the attacker has access to the encrypted material or a password hash and tries different key without the risk of discovery or interference.
In an online attack, the attacker needs to interact with a target system. In such cases, the system can counteract the attack by, for example, limiting the number of attempts that a password can be tried, introducing time delays between successive attempts, increasing the answer’s complexity (e.g. by requiring a CAPTCHA answer or verification code sent to a cell phone), and/or locking accounts out after reaching a threshold of unsuccessful logon attempts. Introducing the second factor of authentication is another countermeasure.