Brute-force Attack

Brute-force attack is an attempt to guess a secret – e.g. password or encryption key – by systematically checking every possible option.

A brute force attack against an encryption system attempts to decrypt encrypted data by exhaustively enumerating and trying encryption keys. Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. Well designed and implemented cryptosystem make the brute force attack option infeasible, as they ensure that probability of success is negligibly small by using long encryption keys that are difficult to successfully guess.

A brute force attack against a password system attempts to exhaustively enumerate and try all password combinations. The increasing computational power of computers makes it computationally practical to guess longer and longer password. To overcome this, password length and complexity requirements can be introduced, to make guessing impractical again.

Brute-force attacks can take place offline or online. In case of an offline attack, the attacker has access to the encrypted material or a password hash and tries different key without the risk of discovery or interference.

In an online attack, the attacker needs to interact with a target system. In such cases, the system can counteract the attack by for example limiting the number of attempts that a password can be tried, introducing time delays between successive attempts, increasing the answer’s complexity (e.g. by requiring a CAPTCHA answer or verification code sent to a cell phone), and/or locking accounts out after reaching a threshold of unsuccessful logon attempts. Introducing the second factor of authentication is another countermeasure.

Frequently Asked Questions
How does a brute force attack work?

Brute-force attack is an attempt to guess a secret – e.g. password or encryption key – by systematically checking every possible option. Checking can be done offline or online. In case of an offline attack the attacker has access to the encrypted material or a password hash and can try key combinations without the risk of discovery or interference. In an online attack, the attacker needs to interact with the target system to which he is trying to gain access.

How long do brute force attacks take?

The length of time it takes to succeed with a brute-force attack depends on the length and complexity of the secret to be cracked. The longer, more complex the secret, the longer the attack will take. Properly sized keys or passwords require an infeasibly long time to guess, even with very powerful computers.

What is a dictionary attack?

A dictionary attack attempts to guess/crack user passwords by taking a dictionary of commonly used passwords instead of blindly trying out all permutations. Unlike a brute-force attack that systematically tries every possible combination for the secret, a dictionary attack uses only commonly used permutations. As a result, the number of attempted options is dramatically reduced.

The premise behind a dictionary attack is that most users will not choose random strings as their passwords – they will choose words or combinations of words with meaning, to make the password easier to remember.

What is the purpose of a brute force attack?

The purpose of a brute-force attack is to successfully guess a secret – i.e. encryption key or password.

What is the objective of a denial of service DOS attack?

Denial of service aims to overload a service with fraudulent requests to prevent it from handling legitimate requests, thus denying service from legitimate users. A brute-force attack on the login service can result in denial of service, as the service is overloaded with authentication requests from the attacker. In such cases, the system can counteract the attack by for example limiting the number of attempts that a password can be tried, introducing time delays between successive attempts, increasing the answer’s complexity (e.g. by requiring a CAPTCHA answer or verification code sent to a cellphone), and/or locking accounts out after unsuccessful logon attempts.