What is Brute Force Attack?
An attack method that systematically tries every possible combination of characters to guess a password or encryption key.
Brute force is the most straightforward attack against passwords and encryption — try every possibility.
Speed
- A modern GPU can try ~10 billion MD5 hashes per second
- An 8-character lowercase password: cracked in ~5 seconds
- An 8-character mixed-case + numbers + symbols: cracked in ~8 hours
- A 12-character mixed password: cracked in ~200 years
- AES-256 key: heat death of the universe × trillions
Password Defense
- Length matters most: Each additional character multiplies the search space
- Use a passphrase: 4-6 random words is stronger than 8 complex characters
- Key stretching: Argon2 makes each guess take milliseconds instead of nanoseconds
Online vs Offline
- Online: Rate-limited by the server (10 guesses/minute)
- Offline: Attacker has the hash, can try billions per second
- Good key stretching makes offline brute force impractical
Related Terms
Argon2
The winner of the Password Hashing Competition, designed to be resistant to GPU and ASIC-based cracking by requiring large amounts of memory.
Brute Force Attack
A trial-and-error method of cracking passwords or encryption by systematically trying every possible combination until the correct one is found. While simple in concept, brute force becomes impractical against sufficiently long, random secrets.
Key Stretching
A technique that makes a short password harder to crack by passing it through a computationally expensive hashing function many times.
Have more questions?
Use our guided flow to get the right next privacy step for Brute Force Attack.
Open Guided Flow