- All
- Engineering
- Network Security
Powered by AI and the LinkedIn community
1
Dictionary attacks
2
Credential stuffing
3
Key cracking
4
Reverse brute force
5
Hybrid attacks
6
How to prevent brute force attacks
7
Here’s what else to consider
Brute force attacks are one of the most common and dangerous threats to authentication systems. They aim to guess the correct credentials of a user or a system by trying different combinations of usernames, passwords, or keys. In this article, you will learn about the most common types of brute force attacks on authentication, how they work, and how to prevent them.
Top experts in this article
Selected by the community from 45 contributions. Learn more
Earn a Community Top Voice badge
Add to collaborative articles to get recognized for your expertise on your profile. Learn more
- Sarfaraz Muneer CISSP, CISM, CEH, CCIE UAE Top Digital Transformation Leader | Vice President Cyber Security | Top Cybersecurity Voice | Cloud Security Expert…
7
- Shihabudheen Thoni Kadavath CISSP | CCSP| CCSK| Azure Security | Azure Solution Architect| GCP-PCA | VMware | ISO27001 LA |CySA+|Splunk| Sentinel…
4
- Aref Cheikhrouhou EMEA presales Manager in IP Networking and Security solutions cover Europe, Middle East and Africa region
3
1 Dictionary attacks
A dictionary attack is a type of brute force attack that uses a predefined list of words, phrases, or common passwords to try to guess the credentials of a target. The attacker may use a general dictionary or a customized one based on the target's personal or professional information. Dictionary attacks are faster and more efficient than random brute force attacks, but they rely on the assumption that the target uses weak or predictable passwords.
Help others by sharing more (125 characters min.)
- Sarfaraz Muneer CISSP, CISM, CEH, CCIE UAE Top Digital Transformation Leader | Vice President Cyber Security | Top Cybersecurity Voice | Cloud Security Expert | Senior Cyber Security Architect | Public Speaker
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
An average user maintains 10+ online accounts therefore it is likely if the user isn’t using password manager then they might be sharing same passwords across their multiple accounts. The best way is to use password manager to generate random passwords across multiple sites and use Multi-factor authentication (MFA) wherever is possible. The MFA is known to protect against 99% of identity compromise attacks.
LikeLike
Celebrate
Support
Love
Insightful
Funny
7
- Aref Cheikhrouhou EMEA presales Manager in IP Networking and Security solutions cover Europe, Middle East and Africa region
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Brute force attacks on authentication involve systematically trying numerous possible combinations of credentials until the correct one is found. The most common types of brute force attacks are :- Simple Brute Force Attack:- Dictionary Attack- Credential Stuffing- Rainbow Table Attack- Hybrid Brute Force Attack- Reverse Brute Force Attack- Username Enumeration:
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Nick Shadeed Cyber Security Specialist and Advisor, Broadcom's Enterprise Security Group at Broadcom
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Dictionary attacks while simple, are fairly effective. They are enhanced though by the ability for bad actors to socially engineer their targets to gather data about them. Using password managers and secure passwords are best practices, but also limit what personal information you include online in your social media posts. The more information that one can obtain publicly, the easier it will be to tailor these types of attacks.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Prabhath Samarasinghe System Administrator @ Sri Lanka Telecom PLC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Common brute force attacks on authentication involve systematically attempting all possible password combinations until the correct one is found. "Simple brute force" exhaustively tries all combinations, while "dictionary attacks" use precompiled lists. "Credential stuffing" leverages stolen credentials across multiple sites. "Hybrid attacks" combine brute force and dictionary methods. Defenses include account lockouts, CAPTCHAs, and multi-factor authentication to thwart repeated login attempts, enhancing overall security. Regularly updating passwords and using strong, unique ones further safeguards against these pervasive threats.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Anshul Gupta Project Design Authority / Product Line Architect @ Thales | Technical Leadership, Innovative Solutions
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
We've all heard stories about people using really obvious passwords like "password". Even though websites ask for stronger passwords, many still go for simple English words, like "Monday54321". I've seen this a lot among my friends and family.Dictionary attacks target these kinds of easy-to-guess passwords. To keep yourself safe:1. Use different passwords for each of your accounts. Don't use the same one everywhere.2. Try using a good password manager, like Bitwarden or LastPass. They can help generate strong passwords for you.3. The best way to stay safe is to use something called Multi-Factor Authentication (MFA). It's like having an extra layer of protection (like an OTP or hardware token) along with your password.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
Load more contributions
2 Credential stuffing
Credential stuffing is a type of brute force attack that exploits data breaches and password reuse. The attacker obtains a large number of compromised usernames and passwords from previous breaches and tries to use them on different websites or services. Credential stuffing is a serious threat because many users tend to use the same or similar passwords across multiple accounts, making them vulnerable to account takeover and identity theft.
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Credential stuffing is a cyberattack where automated tools or botnets are employed to insert stolen or purchased login credentials into user accounts, potentially within the same organization or across various platforms. This attack is facilitated by the common practice of users reusing login details for multiple accounts. The ease of executing credential stuffing attacks arises from the abundance of available compromised credentials, obtainable through purchase or found in plaintext on the dark web. This method has a high success rate due to the widespread reuse of login information.
LikeLike
Celebrate
Support
Love
Insightful
Funny
4
- Katherine B MSc in Cyber Security
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
A simple way to prevent credential stuffing is not using the same login information across multiple sites. Since the attacker is using already compromised, available login information, reusing across multiple sites exposes you to multiple breaches. By using unique, per-site login information, if your login is compromised to one site, the others will not be vulnerable. It might be more of a hassle to have a multitude of logins, but not as big a hassle as having multiple sites breached from under you.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Tim Berghoff Gesprochenes | Geschriebenes | Insights zum Thema IT-Sicherheit
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Since people are being people, credential stuffing is going to stay with us for the foreseeable future. Until such a time that passwords become obsolete and other means of authentication are being used that do not require people to jump through flaming hoops. People are lazy. Maybe some know deep down and on a rational level that credential reuse might not be the best idea but comfort and complacency usually get the better of them. The remedy for this is old as dirt and most of us are tired of hearing it. But it is - sadly - still relevant. Remember, networks are still getting pwned left right and center because of guest/guest or admin/123456.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Anshul Gupta Project Design Authority / Product Line Architect @ Thales | Technical Leadership, Innovative Solutions
(edited)
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Credential surfing, or credential stuffing, is when hackers use stolen usernames and passwords from one breach to try and gain unauthorized access to other websites or services. They exploit the fact that many people re-use the same words across multiple websites.You can prevent credential surfing using below precautions.1. Do not re-use same password acorss multiple websites. Use unique passwords.2. Use a password manager like Bitwarden, Lastpass etc. to generate strong and unique passwords.3. Update your passwords regularly especially when there is news of data breach.4. And last but not the least, use 2FA to add additional security layer using OTP, hardware token etc.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Maor Idan Product Marketing at Stream Security
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Using a shared pattern among different accounts is also a bad practice, as attackers can combine leaked credentials data and dictionary attacks to brute force different permutations of the shared string. It is recommended to generate a strong password randomly.
LikeLike
Celebrate
Support
Love
Insightful
Funny
Load more contributions
3 Key cracking
Key cracking is a type of brute force attack that targets cryptographic keys, such as SSH keys, encryption keys, or digital signatures. The attacker tries to find the private key that matches a public key or a ciphertext by using mathematical algorithms or hardware devices. Key cracking can compromise the security and integrity of encrypted data or communications, as well as the identity and authenticity of the key holder.
Help others by sharing more (125 characters min.)
- Beatrice Ghorra
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Key cracking is a very tedious task as it requires computational power and a lot of time. Some algorithms have already fallen. Current algorithms like AES have not been cracked up to this day. Quantum computing's computational potential might be a challenge to such algorithms in the future.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Brandy Gordon MS, Ph.D.(c), MCFE, CSO CSO||Certified Digital Forensic Examiner|Doctoral Researcher|Security Analyst📈Founder|Keynote Speaker|DFIR Investigator🧩Malware/Reverse Engineer|CYBΞR✦DΞFΣNSΣ|𝗔𝗱𝗲𝗽𝘁 𝗮𝗻𝗱 #𝟭♨️𝙇𝙚𝙩'𝙨 𝙏𝙖𝙡𝙠 𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮.
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Cryptographic keys are important as they are used to encrypt and decrypt your data. Key cracking can be mitigated by using longer key lengths, key rotation, and using the latest cryptographic algorithms. Moreover, within your network, data at rest and data in transit should be encrypted so if an attacker successfully gets into your system, all private data will be unreadable.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Tim Berghoff Gesprochenes | Geschriebenes | Insights zum Thema IT-Sicherheit
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
This is maybe for more targeted attacks where time is no factor. It remains a computationally expensive attack and does not scale terribly well. As an attacker, if I was to choose an initial attack method, I would shoot for something easier first. If I wanted to establish a long term presence on a network, I might do this.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Anshul Gupta Project Design Authority / Product Line Architect @ Thales | Technical Leadership, Innovative Solutions
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Key cracking is a type of bruteforce attack on cryptographic keys i.e. attacker tries all possible permutation and combination of keys to find the correct one.For example, to crack a DES key, which is of 64 bit length, the attacker will need to try 2^64 (18446744073709552000) different keys. This seems to be a large number, but modern computer have very high computational power and a computer strong enough can break DES key in about 23 hours.To safeguard yourself, use stronger algorithms which support larger key sizes, like AES-256 which support keys of length 256 bits and which gives 2^256 different combinations, which is a very large number that would take millions of years to break using current computing technology.
LikeLike
Celebrate
Support
Love
Insightful
Funny
4 Reverse brute force
A reverse brute force attack is a type of brute force attack that reverses the usual logic. Instead of trying different passwords for a known username, the attacker tries a common or known password for different usernames. This can be effective if the attacker knows that the target uses a popular or default password, such as "123456" or "admin". Reverse brute force attacks can bypass some security measures, such as account lockout or captcha, that are triggered by multiple failed attempts for the same username.
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Reverse brute force can bypass time delays. Depending on how the system is set up, some systems have a delay after failed login attempts, to slow down the attack. In the reverse brute force attack, the attacker switches to a different username after each attempt, bypassing the time delays. To thwart, use multi factor authentication, and remove the username of root/admin, instead use only break glass local admin with the admin(admins initials or name), or use a privilege access management system to checkout passwords to the system, which provides the authentication, authorization, accounting.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- ASHWANI KUMAR SINGH Lead Consultant at Birlasoft Ltd.
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
A brute force attack example of this nature would include passwords such as NewYork1993 or Spike1234. Reverse brute force attacks: just as the name implies, a reverse brute force attack reverses the attack strategy by starting with a known password. Then hackers search millions of usernames until they find a match.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Didem Yasin Cyber Security Analyst | Security+ | Incident Response I EndPoint Security | Phishing Analysis I Splunk | QRadar | Crowdstrike | SentinelOne I ProofPoint | Photographer | Tech Enthusiast
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
The reverse brute force attack is like a tricky game, guessing common passwords for different usernames. It's a reminder to avoid generic passwords. Its ability to bypass some security measures adds an extra layer of concern, emphasizing the need for strong cybersecurity defenses.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Rob Hartman Cybersecurity Professional
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
There are several ways to help safeguard against brute force attacks (multi-factor authentication is great, but there is also:1. Use of strong password policies2. Implementing account lockout policies after a certain number of attempts.3. Rate limits: restrict the number of login attempts from specific IP addresses.4.IP Whitelisting /Blacklisting:Keep an updated list of trusted and u trusted IP addresses. Trusted IP addresses get whitewashed, while IP addresses linked to suspicious activity get blacklisted.5. Keep patches and updates current 6.Security Training:-Train your security team on best practices, including recognizing and responding to phasing attacks as well as social engineering attempts to get valid login credentials.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Anshul Gupta Project Design Authority / Product Line Architect @ Thales | Technical Leadership, Innovative Solutions
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Reverse Bruteforce is when hackers use a single password to target multiple usernames.Attacker uses common passwords like "password", "Monday54321" etc.They exploit the fact that many users doesn't have password awareness and tend to use simple common passwords with simple english words. This attack bypass account lockout safeguard, as you are trying a single password against each account.Safeguard includes, using strong unique passwords, use 2FA etc.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5 Hybrid attacks
A hybrid attack is a type of brute force attack that combines different methods or techniques to increase the chances of success. For example, the attacker may use a dictionary attack with some variations, such as adding numbers, symbols, or capitalization to the words. Or, the attacker may use a credential stuffing attack with some modifications, such as changing the domain name or the email provider of the usernames. Hybrid attacks are more sophisticated and adaptable than simple brute force attacks, but they also require more resources and time.
Help others by sharing more (125 characters min.)
- Maor Idan Product Marketing at Stream Security
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Using a shared pattern among different accounts is also a bad practice, as attackers can combine leaked credentials data and dictionary attacks to brute force different permutations of the shared string. It is recommended to generate a strong password randomly.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Grigorios Malamis MSc in Cybersecurity | eJPTv2 ISC2 CC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Hybrid brute force attacks cleverly mix dictionary and brute force tactics, tweaking common passwords with extra characters for efficiency. These attacks are like picking locks with a master key – they focus on likely combinations rather than trying every possibility. Defending against them needs strong passwords, regular updates, and user education. It's not just about stronger locks, but also about smarter key management.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Anshul Gupta Project Design Authority / Product Line Architect @ Thales | Technical Leadership, Innovative Solutions
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Hybrid attacks, as the name suggests is mixing multiple attacks. Attackers can use a pre-defined dictionary but also adding some modification of their own like adding number. Or they can also use list of passwords from breach with same logic.To safeguard yourself, use strong passwords, unique passwords, update your passwords regularly, use 2FA.
LikeLike
Celebrate
Support
Love
Insightful
Funny
6 How to prevent brute force attacks
Brute force attacks can be prevented or mitigated by implementing some best practices and security measures. These include using strong and unique passwords that are not based on personal or public information, and changing them regularly. Additionally, multi-factor authentication (MFA) should be enabled, which requires an additional verification step such as a code, a token, or a biometric factor to access an account or a system. Limiting the number of login attempts or the time window for a user or an IP address, and locking out or blocking suspicious or malicious sources can also be effective. Implementing captcha or other challenges that require human interaction or intelligence to solve, and encrypting and protecting the keys that are used for encryption or authentication can help prevent automated or bot attacks. In addition, secure protocols and algorithms that are resistant to brute force attacks should be used.
Help others by sharing more (125 characters min.)
- Brandy Gordon MS, Ph.D.(c), MCFE, CSO CSO||Certified Digital Forensic Examiner|Doctoral Researcher|Security Analyst📈Founder|Keynote Speaker|DFIR Investigator🧩Malware/Reverse Engineer|CYBΞR✦DΞFΣNSΣ|𝗔𝗱𝗲𝗽𝘁 𝗮𝗻𝗱 #𝟭♨️𝙇𝙚𝙩'𝙨 𝙏𝙖𝙡𝙠 𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮.
(edited)
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Brute force attacks can be prevented by using strong passphrases, captcha, multifactor authentication (MFA), password salting and lockout policies. Moreover, Firewall and IDS/IPS systems can be configured to block unsuccessful login attempts. Furthermore, network monitoring is important. Also, webserver logs should feed into a log collector or SIEM so it can detect and send out brute force alerts.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Wade Todd Director of Technology at Myriad Art Group // IT Manager at Ecker Textiles, LLC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Brute force attacks can be prevented with many combinations of methods. However, I want to focus my attention on passwords. You can maximize your password complexity by using numbers, uppercase, lowercase, and symbols in your passwords. An example is a password with 12 characters with only lowercase letters can be cracked by brute force in a few weeks. However, if you use a password with 12 characters with a mixture of lowercase and uppercase letters it extends to hundreds of years. That is right, it’s not a typo, it changed from weeks to hundreds of years by slightly increasing in our password complexity. If we add an extra character to our new password (13 characters total) it increases to an estimated 10,000+ years before it's cracked.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Multi-Factor Authentication does add an extra layer of security - by requiring two or more verification methods. But requiring MFA for every single interaction could be very inconvenient for users.So, after you've authenticated using MFA, the server might store a session cookie that doesn't require MFA for subsequent requests. This is called a session cookie. If an attacker gets this cookie, they might be able to access the service without MFA.
LikeLike
Celebrate
Support
Love
Insightful
Funny
7 Here’s what else to consider
This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Rainbow table attack is another type of brute forcing. Rainbow tables are precomputed tables storing hash values of passwords along with their corresponding plaintext. Hackers use these tables to quickly determine the password associated with a given hash value. To protect, in addition of using strong and complex passwords (decreasing the chances for a Rainbow table to contain the password) you should use a technique known as salted password hashing. Salting involves adding a random string of characters to each user's password before hashing. By using a different salt for each user, even if two users have the same password, the hashed passwords will be different. This makes it impossible to use existing Rainbow tables efficiently.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Password spraying is a type of brute force attack where an attacker tries a single password on multiple accounts, aiming to avoid account lockouts. This is often exploited when default passwords are in use. To mitigate such attacks, implement brute force prevention for both usernames and passwords, set account lockout policies, enforce password changes for users with default passwords on their first login, and use multi-factor authentication, especially for external services.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Sarfaraz Muneer CISSP, CISM, CEH, CCIE UAE Top Digital Transformation Leader | Vice President Cyber Security | Top Cybersecurity Voice | Cloud Security Expert | Senior Cyber Security Architect | Public Speaker
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Password spray is another form of attack where threat actor tries to use one leaked password across multiple accounts in attempt to gain access. It goes without saying that monitoring and detection is a must however such attacks can thwarted by using strong password or passphrase and MFA on the account.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Grigorios Malamis MSc in Cybersecurity | eJPTv2 ISC2 CC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
AI-Powered Brute Force Attacks is a new cybersecurity threat. These attacks go beyond traditional trial-and-error methods. AI algorithms are trained to predict and generate likely password combinations based on patterns, common structures, and even user behavior data. This makes them faster and more efficient than conventional brute force attacks. As AI can learn and adapt, these attacks continuously evolve, posing a significant challenge to standard password defense mechanisms.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
Network Security
Network Security
+ Follow
Rate this article
We created this article with the help of AI. What do you think of it?
It’s great It’s not so great
Thanks for your feedback
Your feedback is private. Like or react to bring the conversation to your network.
Tell us more
Tell us why you didn’t like this article.
If you think something in this article goes against our Professional Community Policies, please let us know.
We appreciate you letting us know. Though we’re unable to respond directly, your feedback helps us improve this experience for everyone.
If you think this goes against our Professional Community Policies, please let us know.
More articles on Network Security
No more previous content
- You're facing urgent security issues. How will you align short-term fixes with long-range patch strategies?
- You're torn between boosting network performance and fortifying security. How do you find the right balance?
- You're caught between IT and non-technical teams on network security. How do you find common ground?
- Your team is hesitant to update network security. How do you convince them of the importance?
- You're working remotely and need to protect your network. How can you spot potential security threats? 3 contributions
No more next content
Explore Other Skills
- Programming
- Web Development
- Machine Learning
- Software Development
- Computer Science
- Data Engineering
- Data Analytics
- Data Science
- Artificial Intelligence (AI)
- Cloud Computing
More relevant reading
- Information Security How can you prevent session hijacking with IAM?
- Cybersecurity Your company has suffered a cybersecurity breach. How can you tell the public without losing their trust?
- Cybersecurity What are the best practices for securing your authentication system?
- Internet Services How can you protect your internet service users from data breaches and identity theft?