← All terms
Brute-Force Attack

What is a Brute-Force Attack?

A brute-force attack tries password combinations systematically until one works, exploiting weak credentials and unprotected login endpoints.

Last updated: 15 July 2026

How brute-force attacks work

A brute-force attack is systematic guessing: software submits candidate passwords against a target account or captured password data until a guess succeeds. In its online form, guesses are sent to a live login endpoint such as a web form, VPN gateway, SSH service or remote desktop. In its offline form, the attacker has already stolen hashed passwords and tests candidates against the hashes on their own hardware, where nothing limits the attempt rate.

Pure exhaustive guessing is rare in practice. Attackers order their guesses intelligently, starting with dictionaries of common passwords, leaked real-world passwords and mutations such as appended years and symbol substitutions. Modern hardware evaluates billions of candidates per second against weak hashing schemes, which is why short or predictable passwords fall within minutes while long random ones remain out of reach.

Why it matters

Brute forcing remains a staple of real intrusions because exposed login surfaces are everywhere: internet-facing remote desktop and SSH services are scanned and attacked continuously within minutes of coming online. Ransomware operators in particular have repeatedly gained their first foothold by brute forcing remote access services, then escalating from that single account.

The offline variant raises the stakes of every database breach. Once password hashes leak, the strength of each user’s password and of the hashing algorithm are the only remaining defenses. Weakly hashed or weakly chosen passwords are recovered in bulk and feed directly into credential stuffing against other services, extending the damage far beyond the breached system.

How to defend against brute force

Online brute force is contained by making guessing slow and unprofitable: rate limiting and progressive delays on failed logins, lockout or step-up challenges after repeated failures, and removing high-value services like RDP and SSH from direct internet exposure behind a VPN or access gateway. Multi-factor authentication makes a correct guess insufficient on its own, and passkeys eliminate the guessable secret entirely.

Offline brute force is countered before the breach: hash passwords with modern, deliberately slow algorithms, require length rather than cosmetic complexity, and screen choices against known-breached password lists. For administrative and service accounts, vaulting credentials and rotating them automatically, as Monopam does, ensures the passwords most worth guessing are long, random and short-lived.

Frequently asked questions

How long does it take to brute force a password?
It depends almost entirely on length, randomness and how the password is stored. Against fast hashes, an eight-character password can fall in hours or less, while a random passphrase of sixteen or more characters is effectively uncrackable. Online attacks are far slower because the target service limits attempt rates.
Is account lockout enough protection?
On its own, no. Lockout stops naive online guessing against one account but does nothing against password spraying across many accounts or offline cracking of stolen hashes, and aggressive lockout policies can be abused to lock legitimate users out. It works best combined with MFA, rate limiting and breached-password screening.