What Is a Brute Force Attack and How to Stop One
๐
June 2026 ยท ๐ 5 min read
A brute force attack is exactly what it sounds like: an attacker uses raw computing power to try every possible password combination until they find the right one. It's the oldest method of password cracking โ and it's still effective against weak passwords.
Types of Brute Force Attacks
- Simple brute force: Tries every combination from aaaaaaa to zzzzzzz (all lowercase). Practical only for very short passwords.
- Dictionary attack: Tries words from a pre-built list (common passwords, leaked credential lists, dictionary words). Highly effective โ most passwords are dictionary-adjacent.
- Hybrid attack: Dictionary words with common mutations (capitalize first letter, append numbers, add symbols). Defeats simple password policies.
- Mask attack: Tries combinations based on known patterns (e.g., 8 chars starting with capital, ending with 2 digits). Used when the password policy is known.
- Rainbow table attack: Pre-computed hash chains that reverse hashed passwords. Largely defeated by salting.
How Fast Are Brute Force Attacks?
Using a single RTX 5090 GPU in 2026, Hashcat benchmarks show approximately:
- NTLM hashes: ~100 billion attempts/second
- MD5: ~80 billion attempts/second
- SHA-256: ~25 billion attempts/second
- bcrypt (cost 12): ~100,000 attempts/second
- Argon2id (t=3, m=64MB): ~15,000 attempts/second
A 10-character random password falls in 40 days against MD5. Against bcrypt cost 12, it would take over 100,000 years.
How to Defend Against Brute Force Attacks
- Use long, random passwords โ 16+ characters of random characters push the search space beyond practical reach.
- Use a password manager โ You won't remember a 16-character random password, but your password manager will.
- Enable rate limiting โ Services should lock accounts after 5-10 failed attempts. This effectively stops online brute force.
- Use slow hashing algorithms โ Services should use bcrypt, Argon2id, or scrypt โ not MD5, SHA-1, or raw NTLM.
- Enable MFA โ Even if your password is cracked, the attacker still needs your second factor.
Create passwords that resist brute force attacks. Generate a strong password.