Effectiveness depends on password complexity: 8-character alphanumeric passwords crack in minutes; 12+ characters with symbols require months.
What is a brute force attack
A brute force attack attempts to access an account or service by repeatedly testing credential combinations until finding a valid one. It is a simple but effective attack: an attacker automates attempts against an exposed service (RDP, SSH, VPN, web portal) to compromise weak credentials. Effectiveness depends on target password complexity and absence of defensive controls such as multi-factor authentication, rate limiting, and detection of abnormal attempts.
Why it matters
Brute force attacks are a frequent cause of breaches, especially against exposed remote services (open RDP, VPN without MFA, weak administrative portals). Credentials compromised via brute force enable initial access for lateral movement, privilege escalation, and persistence establishment. Regulations like ISO 27001, NIS2, and DORA mandate: strong password policies, mandatory MFA, and detection of abnormal attempt patterns. A CISO must inventory exposed services, implement MFA on all remote access, and monitor SIEM logs for abnormal login attempt patterns.
Key points
Defensive controls are critical: MFA eliminates risk (credential alone is insufficient); rate limiting slows attempts; lockout after N failed attempts; CAPTCHA on web portals.
Detection requires monitoring: SIEM must alert on multiple failed attempts from same IP, brute force patterns against multiple users, or unusual login patterns.
Hybrid attacks: dictionary attacks (common passwords) are more effective than random; credential stuffing reuses compromised credentials from other breaches; spray attacks test common passwords against many users.
Example: Brute force attack against exposed RDP
A company exposes RDP port (3389) to the internet for remote work without a VPN. An attacker launches a brute force attack using a common password list against the administrator account. Without rate limiting or MFA, it attempts 1,000 combinations per minute for two hours. It discovers weak password 'Admin@2023'. Access achieved: creates dormant account, installs malware, and moves to internal servers. Discovery: a security analyst reviews RDP logs and sees 1M failed attempts from same external IP in two hours. Solution implemented: close direct RDP, VPN with mandatory MFA, rate limiting on login attempts, and automatic SIEM alert for >10 failed attempts per IP in 10 minutes.
Common mistakes
- Assuming simple passwords are sufficient because 'only employees access'; if service is on the internet, automated attackers probe constantly.
- Not implementing MFA thinking only advanced attackers use it; brute force is automated and indiscriminate; MFA is mandatory defense.
- Ignoring failed login logs; correlating them in SIEM with origin IPs and patterns is the simplest way to detect active attacks.
Related services
This concept may be related to services such as:
Frequently asked questions
How long does a brute force attack take to crack a password?
Depends on complexity: 6-character alphanumeric takes minutes; 8 characters with symbols takes hours; 12+ characters takes weeks or years. But common password dictionaries are much faster: '123456', 'admin', 'Password1' are tested first. Tools like Hashcat accelerate if hash is available.
What is the difference between dictionary and pure brute force?
Pure brute force tests all combinations (exponential, very slow). Dictionary tests known passwords and common variations (e.g., adding 2024, changing letter to number). Hybrid attack combines both: takes common words and adds numbers/symbols. Dictionary is far more effective in practice.
How do I detect a brute force attack in my SIEM?
Correlate logs: >10 failed attempts from same IP in 10 minutes, attempts against multiple users from same IP, sequential attempts without delay, successful login after burst of failures. Alerts should fire automatically; investigate and block origin IP in firewall.