Brute Force Attack

A brute force attack is an automated method of defeating authentication or encryption by exhaustively testing possible values. In the context of authentication, this means trying passwords or PINs until access is granted. Three main variants exist: classic brute force (trying all combinations for a single account), password spraying (trying a small set of common passwords across many accounts to avoid lockout thresholds), and credential stuffing (replaying username/password pairs leaked from prior breaches against new targets). All three are facilitated by automation and are commonly observed in attacks against cloud identity providers, VPNs, and web applications.

Brute force techniques remain highly effective because password hygiene across organizations is inconsistent and credential databases from prior breaches are widely available. Password spraying in particular is difficult to detect with per-account lockout policies because it deliberately stays below the failed-attempt threshold. Credential stuffing exploits password reuse — a pervasive problem — to achieve account takeover at scale without needing to crack anything. Compromised accounts obtained this way are used for Business Email Compromise (BEC), ransomware deployment, data exfiltration, and as pivot points for lateral movement.

Classic brute force uses wordlists or character-space enumeration against a login endpoint. Password spraying distributes attempts across many accounts with a single password (e.g., 'Spring2024!') timed to avoid triggering lockouts — often one attempt per account per hour. Credential stuffing uses breach databases (e.g., from HaveIBeenPwned-indexed leaks) loaded into tools like Sentry MBA or SNIPR, which automate login attempts at scale against a target service. Detection relies on analyzing authentication logs for anomalous patterns: geographically dispersed login attempts, high volumes of failed authentications across many accounts, or successful logins from unfamiliar IP ranges following failed attempts.