A brute force attack is the most basic hacking method there is - and still one of the most common, because it keeps working against weak passwords. There's no exploit and no trickery: just a computer guessing passwords, very fast, until one fits. This guide explains how brute force attacks work, the main types, why they still succeed, and the defenses that actually stop them.
The short definition
A brute force attack tries to guess a password (or key) by systematically attempting huge numbers of combinations until it finds the right one. Attackers automate it, so a program can make thousands or millions of attempts far faster than any human. It doesn't exploit a software flaw - it exploits weak passwords and login systems that let an attacker keep guessing.
How it works
The attacker points software at a login or a stolen file of scrambled (hashed) passwords and lets it churn through candidates. The strength of the target password decides everything: each extra character multiplies the number of possibilities, so guessing time grows explosively with length. A short or common password can fall almost instantly; a long random one can demand more guesses than are realistically achievable.
The main types
"Brute force" is really a family of related techniques:
- Simple brute force - try every possible combination of characters, from shortest upward. Thorough but slow against long passwords.
- Dictionary attack - try a prepared list of likely passwords first (common words, names, leaked passwords, predictable patterns), because most weak passwords come from a small set.
- Credential stuffing - reuse real username-and-password pairs leaked from other breaches, betting that people reuse them. Fast and effective against password reuse.
- Password spraying - try a few very common passwords against many accounts, to slip under lockout limits that trigger on repeated failures for one account.

Why brute force still works
If it's so crude, why does it persist? Because the weak link is rarely the maths - it's human habits and lax systems:
- Short or common passwords fall to a dictionary attack in moments.
- Reused passwords mean one breach hands attackers a working key for your other accounts.
- Login endpoints without rate limiting or lockouts let an attacker guess endlessly.
Brute force doesn't beat strong, unique passwords - it harvests weak and reused ones.
What makes a password brute-force-resistant
Two properties: length and randomness. Together they create high entropy - so many possible combinations that guessing becomes computationally impractical. A long, randomly generated password isn't "impossible" to brute force in theory; it simply takes so astronomically long that no attacker bothers. Predictability is the enemy: a long password built from a quote or a pattern is far weaker than its length suggests.
How to defend yourself
The defenses are straightforward and they stack:
- Use long, unique passwords. The practical way is a password manager that generates and stores a random password for every account - nothing short, guessable or reused. This single habit defeats dictionary attacks and credential stuffing at once.
- Turn on two-factor authentication. Even a correctly guessed password fails without the second factor. Prefer an authenticator app or a passkey over SMS.
- Never reuse passwords. Reuse is what turns one site's breach into a master key for the rest of your accounts.
On the service side, rate limiting, account lockouts and properly hashed-and-salted password storage blunt these attacks further - but as a user, length + uniqueness + 2FA is what makes brute forcing your accounts not worth the attempt.
The verdict
A brute force attack is simple, automated guessing - and it stays effective only because weak and reused passwords keep feeding it. Make each password long, random and unique (a password manager does this for you), add two-factor authentication, and the maths swings firmly in your favour: guessing your password becomes a job no attacker can realistically finish.
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
Lock down your accounts → NordPassStrong unique passwords · breach scanner · free tier→Frequently asked questions
What is a brute force attack in simple terms?
A brute force attack is an attempt to break into an account by guessing its password through sheer trial and error - automated software tries enormous numbers of possible passwords until one works. There's no clever trick; it relies on speed and volume. It succeeds mainly against weak, short or reused passwords, and against login systems that don't limit how many guesses an attacker can make. Long, unique passwords and two-factor authentication are what make it impractical.
How long does a brute force attack take?
It depends entirely on the password's length and randomness. Each extra character multiplies the number of possible combinations, so a short or common password can fall in seconds, while a long random one can require more guesses than are feasible in any practical timeframe. That's the whole point of length: it doesn't make guessing impossible in theory, it makes it take so long that it's not worth attempting. Reused or leaked passwords skip the math entirely, which is why uniqueness matters too.
What is the difference between brute force and a dictionary attack?
They're variations of the same idea. A pure brute force attack tries every possible combination of characters, starting from the shortest. A dictionary attack is smarter and faster: it tries a prepared list of likely passwords first - common words, names, leaked passwords and predictable patterns - because most weak passwords come from a small, guessable set. Credential stuffing goes further still, reusing real username-password pairs leaked from other breaches.
Does two-factor authentication stop brute force attacks?
Largely, yes - and that's why it's so valuable. Even if an attacker eventually guesses your password, two-factor authentication (2FA) requires a second proof - a code from an app, a security key or a passkey - that the attacker doesn't have. So a correct password alone isn't enough to get in. 2FA doesn't make your password strong, but it means a guessed or leaked password usually fails on its own. Enable it everywhere it's offered, ideally with an authenticator app or a passkey rather than SMS.
How do I protect myself from brute force attacks?
Three things cover most of the risk. Use long, unique passwords - a password manager can generate and store a random one for every account, so nothing is short, guessable or reused. Turn on two-factor authentication so a guessed password isn't enough. And don't reuse passwords across sites, since one leak otherwise opens every account that shares it. Strong length plus uniqueness plus 2FA makes brute forcing your accounts impractical.


