The Guide to Brute Force Attacks and Top Protection Methods

Experts have witnessed over 50 billion brute force attacks take place over the summer alone. That leaves three-quarters of the year for threat actors to increase that number! Fortunately, understanding how this attack works will help you defend yourself from it. So, what’s a brute force attack (and how can you protect yourself from it)?

A brute force attack is a way that threat actors have to crack a password. Cybercriminals will use software that combines different characters, words, and sentences to guess a target’s passcode. Following password creation best practices greatly reduces the risk of this attack.

Are you using short passwords? Or do you happen to have strong passwords that you reuse? This kind of behavior makes you the ideal target for a brute force attack, so it’s time to take a second look at your login credentials – and how to protect them.

What’s a Brute Force Attack?

A brute force attack has a cybercriminal try to crack login credentials (usernames or passwords, or both) using a combination of methods, including wordlists, math methods, and a handful of other resources.

Simply put, this type of attack is a way hackers have to crack passwords one character or word at a time. Threat actors will usually do recon work before attempting a brute force attack.

During the recon phase, they’ll look at their target’s social media profiles to find information that could help them perform a brute force attack.

Most (if not all) hackers rely on software to do this type of attack. Computers can run hundreds of combinations in seconds, making it a more efficient way to crack a password.

Types of Brute Force Attack

  • Simple. A simple brute force attack is a rudimentary way of cracking a password. A threat actor will use software to try to crack a password one character at a time or use common combinations such as “password1234” to try to succeed.
  • Dictionary. A dictionary brute force attack relies on wordlists. Threat actors will use simple words or a combination of them to try to crack a password. More often than not, these words come from a social engineering effort: they’ll figure out someone’s address, family members, pets, and other information to create that wordlist.
  • Reverse. A reverse brute force attack consists of hackers having the right password but no username. In other words, they’ll try to brute force a username instead of a password. This often happens when threat actors have access to leaked passwords and want to try their luck or have free time and want to use commonly used passwords with random usernames.
  • Hybrid. A hybrid brute force attack combines two of the previously mentioned attacks. So, for example, a threat actor may want to do a reverse attack and complement it with a dictionary attack. Or use their computers to perform a simple and a dictionary attack at the same time.

3 Things Businesses Can Do To Stop Brute Force Attacks

1. Educate Employees

Training your employees is a must – even if they never have to defend themselves from a brute force attack! Threat actors can attack your company, network, and system from many angles, and employees are often the weak link cybercriminals love to compromise.

One of the first things employees learn is how to create strong passwords. Doing so will greatly reduce the chance of a successful brute force attack. Of course, that’s far from the only thing they have to do – but that alone greatly improves cybersecurity!

The IT department should also receive training and be on top of things: monitoring activity is a big part of that.

2. Monitor Activity

Monitoring activity is the best thing you can do to detect malicious activity. Threat actors perfect their attacks to limit exposure. So, for example, instead of doing a simple brute force attack, they’ll try a dictionary brute force attack.

Doing so makes it less likely to get caught – but you can still sniff that attack if you constantly monitor traffic. You’ll notice someone trying to access an account one too many times in a row.

At that point, you have to figure out whether to allow that to happen or take action. Throttling traffic is the best way to move forward in this scenario.

3. Throttle Traffic

Monitoring activity comes first, but that’s far from the last thing you have to do. You should raise an alarm whenever you notice someone using one too many attempts to access an account. Better yet, you could create software to do so automatically.

In other words, you have to prevent threat actors from continuing their brute force attack to stop it. A three login attempt limit should be enough to prevent a great number of cybercriminals from compromising your customers’ accounts.

You should enforce a 10-minute cooldown for anyone inputting the wrong login credentials too many times in a row – and make that cooldown period longer as attempts increase. You should consider locking down the account past a certain point.

9 Brute Force Attack Protection Methods

1. Use Strong Passwords

A weak password is something like “12345,” “qwerty,” and “password.” Coincidentally, these three examples always manage to find themselves on the top of the most common passwords.

That list could also be called the top worst passwords possible. You want to protect your login credentials with the exact opposite: a strong password.

A strong password needs to be long (at least 10 characters long), include special characters (such as numbers, exclamation points, and commas), and include no references to yourself (e.g., date of birth, address, and similar).

2. Choose Passphrases Over Passwords

What’s the best way to create a long, strong password? Choose a passphrase instead! It’s tough to think of a word that’s more than 10 characters long and has everything else necessary to achieve your security goals.

Use a phrase instead! So, don’t make up a long, nonsensical word such as “lo3ab!ro” #4.-“as your password. Sure, it’s somewhat strong – but impossible to remember! Go with something like “The23rdwascloudy!Ihopeitdoesntrain” or similar.

The longer the password is, the less chance a hacker has to brute force it (because it requires more computational power to do so). That’s why a passphrase is always a better idea.

3. Never Reuse Your Passwords

We already explained what’s the perfect password. It’ll help you deal with brute force attacks as well as other attempts (such as social engineering). However, you can quickly ruin your cybersecurity efforts with one swift blow.

How can you turn the perfect password into a liability? By reusing your passcode! Hackers will attempt a credential stuffing attack if they crack your password. We’ll talk more about that below.

You can take your login credentials as a passcode combination. So, you may reuse passwords (though we don’t recommend doing it) as long as you use them for different usernames and emails.

Using the same email and password combination all the time is a terrible idea.

4. Avoid Posting Too Much Information Online

Most people love uploading pictures and videos to social media and sharing those things with those they love. Unfortunately, it’s a great way to get hacked.

How could uploading a harmless video give your password up? Threat actors use social engineering to get to you. Cybercriminals can figure out small details of your life that’ll help them run a brute force attack.

Remember, hackers will perform dictionary attacks using keywords to crack your password. If they find out you love Italy, they’ll start there. If they find out your dog’s name, they’ll try that next.

5. Lock Down Your Account if Necessary

Certain websites give you the option to lock down an account if someone else tries to access it. Most banks will do so automatically if someone writes down the wrong login credentials three times in a row.

You should enable that option whenever possible. A brute force attack consists in doing multiple guesses in a row – so you have to stop that as soon as it starts. Otherwise, it’s a matter of time until a hacker cracks your password.

In other words, contact customer support if you get an email about someone trying to access your account.

Did you receive an email informing you of someone trying to brute force your account? Visit their website and contact them from there. Never do so from the email you just got – because it may be a phishing attempt!

6. Delete Old Accounts

Experts recommend deleting old accounts to prevent data breaches, but doing so can help you in many other ways. For example, you can prevent credential stuffing from happening.

Threat actors will use your login credentials everywhere they can. If they can log into your Instagram account, they’ll try other social media websites as well as emails and other places. That type of attack is what we know as credential stuffing, a more complicated brute force attack.

The fewer open accounts you have, the less of a chance of suffering a credential stuffing attack you have.

7. Use a Password Manager

What’s the best way to use complex passphrases and never reuse them? Have software ready to store your passwords, so you’ll always have them at hand!

A password manager will store every password you use. The one thing you don’t have to do is forget the password that protects your password manager, though.

There are other ways to store your passcodes – but they are not as secure: writing them down on a piece of paper, taking a screenshot with your phone, and so on. They’re all rather vulnerable ways of doing it.

8. Enable Multi-factor Authentication

A brute force attack is far from effective if you enable multi-factor authentication. MFA allows you to lose your password and still remain in control – as long as you have access to the email or phone you use for this security measure.

You’ll receive an email or SMS whenever you log in to an account when you use MFA. That email or message will have a randomly generated code or link that’ll grant you access to your account. Without it, there’s not much you can do.

In other words, if hackers brute force your login credentials, they won’t access your account unless they have your email or phone (if you enable MFA).

9. Don’t Let Your Guard Down

It’s easy to fall prey to a brute force attack, so you always have to be on your toes to prevent that from happening. Following all steps on this list will put you ahead of the race, though that doesn’t mean you should forget about your cybersecurity after doing that.

What does that mean? Pay attention to your social media (and the things you upload or post), remember not to reuse passwords, and think twice about opening a new account that asks too much about you (to reduce the risk of suffering a data breach).

A successful brute force attack is not the end of the world. You can fix things before it’s too late.

What To Do After a Successful Brute Force Attack?

You must freeze your account and change your password as soon as a hacker cracks your login credentials. Hopefully, you enabled MFA before it happened, greatly reducing the risk of this attempt.

Losing your password is not the end of the world, but you have to act quickly. First, change your password, and while you’re at it, contact customer support (over the phone if possible) to alert them of what’s going on.

If you ever reused a cracked password, it’s time to change it everywhere you’ve used it (and start following cybersecurity best practices while you’re at it). Prevention is the best defense against cyberattacks.


A brute force attack employs computational power to crack your password. The best way to defend yourself from an attempt is to use strong passphrases, never reuse passwords, and enable multi-factor authentication. Website owners should monitor their traffic to spot these attacks and throttle traffic whenever they happen.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.