How brute-force attacks work
A brute-force attack is systematic guessing: software submits candidate passwords against a target account or captured password data until a guess succeeds. In its online form, guesses are sent to a live login endpoint such as a web form, VPN gateway, SSH service or remote desktop. In its offline form, the attacker has already stolen hashed passwords and tests candidates against the hashes on their own hardware, where nothing limits the attempt rate.
Pure exhaustive guessing is rare in practice. Attackers order their guesses intelligently, starting with dictionaries of common passwords, leaked real-world passwords and mutations such as appended years and symbol substitutions. Modern hardware evaluates billions of candidates per second against weak hashing schemes, which is why short or predictable passwords fall within minutes while long random ones remain out of reach.
Why it matters
Brute forcing remains a staple of real intrusions because exposed login surfaces are everywhere: internet-facing remote desktop and SSH services are scanned and attacked continuously within minutes of coming online. Ransomware operators in particular have repeatedly gained their first foothold by brute forcing remote access services, then escalating from that single account.
The offline variant raises the stakes of every database breach. Once password hashes leak, the strength of each user’s password and of the hashing algorithm are the only remaining defenses. Weakly hashed or weakly chosen passwords are recovered in bulk and feed directly into credential stuffing against other services, extending the damage far beyond the breached system.
How to defend against brute force
Online brute force is contained by making guessing slow and unprofitable: rate limiting and progressive delays on failed logins, lockout or step-up challenges after repeated failures, and removing high-value services like RDP and SSH from direct internet exposure behind a VPN or access gateway. Multi-factor authentication makes a correct guess insufficient on its own, and passkeys eliminate the guessable secret entirely.
Offline brute force is countered before the breach: hash passwords with modern, deliberately slow algorithms, require length rather than cosmetic complexity, and screen choices against known-breached password lists. For administrative and service accounts, vaulting credentials and rotating them automatically, as Monopam does, ensures the passwords most worth guessing are long, random and short-lived.