What Exactly Is A Brute Force Attack?

what is a brute force attack?

In the last post I describes how a hacker could use a dictionary attack in order to try to gain access to a password-protected system or file.

If such an attack should fail, which is usually because the administrator has chosen a more effective password, then there is an alternative available and that is a brute force attack.


A brute force attack is far more labour intensive than a dictionary attack because it involves trying every conceivable combination of letters, numbers and characters in order to determine what a password is.

There are a few factors which will determine the effectiveness of a brute force attack.

These factors are –

  • The length of the password, longer obviously being harder to break
  • The time available to try each different possibility
  • The number of different values that each string within the password may have
  • Whether there is a security measure in place to block an attacker after x number of failed attempts at getting the password


The best defence against a brute force attempt on your password is, perhaps, to make that password as long as possible.

Additionally, mixing numbers and letters, as well as characters, will make it far harder to guess the password.

For example, with a PIN number there are only 10 possible inputs (the numbers 0 – 9) for each of the four inputs required.

10 x 10 x 10 x 10 means that there are a 10,000 possible combinations for any given PIN number.

However, a six character password, using letters and numbers only, has far more possible answers –

10 numbers plus 26 letters equals 36 different values,

36 x 36 x36 x36 x36 x36 means 2,176,782,336 different combinations.

Obviously making the password longer than six characters and adding symbols will yield even more than those 2 billion combinations.

Ultimately, however, a sustained brute force attack will always succeed.

If your password is strong then the time for success may be years but remember that computers are becoming quicker and more sophisticated by the day.

Make your password as difficult to guess as possible, in order to avoid dictionary attacks, and make it long and a combination of letters, numbers and symbols and you will, if nothing else, have given yourself a level of protection that is more effective than most people have.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. Nice article and the point about making password long is a good one as is mixing up letters and numbers and throwing a few strange characters into the mix.


  1. […] hands it can and will be used against you.¬†Even if your PC is password protected they can use brute force password crackers to find out your IP.Quite honestly, Windows is crap when it comes to security.Once they have access […]

  2. […] hackers would try a brute force attack on the standard they would have to wait a long time for the attack to […]

  3. […] a dictionary attack proves fruitless the hacker may use less subtle means, such as a brute force attack which I’ll cover in the next […]

  4. […] An attack that is easy for just the average person to pull off is called a brute force attack. […]

Speak Your Mind