Brute Force Attack
A Brute Force Attack is an attempt to gain access by trying many password or credential combinations in rapid succession. Attackers use automated tools to test credentials until they find one that works, relying on weak passwords or misconfigured rate limiting.
# WHAT TEAMS RUN INTO
- —
Rate limiting has limits. If an application needs to serve millions of requests, aggressive rate limiting on failed authentication attempts becomes a denial-of-service vector — attackers lock out legitimate users.
- —
Distributed brute force is hard to detect. If attacks come from thousands of different IP addresses, traditional rate limiting per IP fails. Each IP looks like a single user with a few failed attempts.
- —
Password policies can be reverse-engineered. If an application enforces password policies (12 characters, 1 number, 1 capital, etc.), attackers can use those rules to generate more likely password combinations, making brute force faster.
# WHY IT MATTERS
Brute force is the oldest attack in the book, and it still works because passwords are weak. Passwords can be guessed, and given enough attempts and time, most passwords will be broken. MFA stops brute force from working — the attacker needs the password AND the second factor. Organizations without MFA are betting that attackers won't bother brute forcing, a bet that rarely holds up.