Brute Force Attack
A brute force attack is like trying every key on a massive keyring until one opens the lock. The attacker does not need to be clever; they just need to be persistent. They use automated tools to rapidly try thousands or millions of password combinations against a login page, SSH server, or encrypted file until they find the right one.
A brute force attack is a trial-and-error method of guessing credentials, encryption keys, or other secret values by systematically attempting all possible combinations. Modern tools can test billions of password hashes per second using GPU acceleration.
Variants:
- Simple brute force: tries every possible combination (aaa, aab, aac…). Guaranteed to succeed eventually but exponentially slow as length/complexity increases.
- Dictionary attack: tries words from a wordlist (common passwords, leaked credential databases). RockYou, SecLists, and breach compilations contain billions of known passwords.
- Credential stuffing: uses username/password pairs from one breach to attack other services, exploiting password reuse. High success rate (0.1-2% typical).
- Reverse brute force: tries one common password against many usernames (password spraying). Evades per-account lockout policies.
- Hybrid: combines dictionary words with common modifications (Password1!, P@ssw0rd, Summer2026!).
Time to crack (8-character password, GPU-accelerated bcrypt):
| Complexity | Example | Time |
|---|---|---|
| Lowercase only | abcdefgh | ~2 hours |
| Mixed case | AbCdEfGh | ~6 days |
| Mixed + numbers | AbCd1234 | ~1 year |
| Mixed + numbers + symbols | A1b@c#D! | ~7 years |
Defense:
- Rate limiting and progressive delays
- Account lockout after N failed attempts
- CAPTCHA after failed attempts
- Multi-factor authentication (MFA)
- Strong hashing algorithms (bcrypt, Argon2, scrypt) with high cost factors
- Monitoring for credential stuffing patterns
- fail2ban or similar IP-blocking tools
Brute force defense with fail2ban
# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
# Check fail2ban status
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 2
| `- Total failed: 847
`- Actions
|- Currently banned: 14
`- Total banned: 312
# View banned IPs
$ sudo fail2ban-client status sshd | grep "Banned IP"Brute force attacks are constant background noise on the internet. Any server with an open SSH port receives hundreds of login attempts per hour from automated scanners. Credential stuffing is the more dangerous modern variant: when a major service is breached, the stolen credentials are tested against banking, email, and social media platforms within hours. The 2024 Snowflake breaches (affecting Ticketmaster and AT&T) were primarily credential stuffing attacks using stolen passwords against accounts without MFA. Defense starts with MFA (which makes brute force nearly irrelevant), strong and unique passwords (password manager), and rate limiting. For SSH specifically, key-based authentication with passwords disabled eliminates the brute force vector entirely.