Term:brute force attack

brute force attack is, in essence, an attempt to compromise encryption (or an online account) simply by trying every possible password.

In the case of an online account, attacks typically target a specific account. That account may be an account known to exist, perhaps by virtue of something as simple as an email address having been made public. The account may also simply be an account that is likely to exist, such as accounts using common first names at major email providers.

Regardless, the nature of a brute force attack is very slow, but also very persistent.

In practice, most brute force attacks against online accounts prioritize common passwords first. This gives them a surprisingly high success rate, even when log-in attempts are rate-limited.

Offline brute force attacks against encrypted data – including password databases – typically have no such time restriction. In this case, the complexity of the encryption algorithm, and the length of the passwords being used, determine how successful the attack will be and how quickly it may succeed.

brute force attack (Wikipedia)

The Electronic Frontier Foundation's US$250,000 DES cracking machine contained over 1,800 custom chips and could brute-force a DES key in a matter of days. The photograph shows a DES Cracker circuit board fitted with 64 Deep Crack chips using both sides.

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier.

When password-guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones.

Brute-force attacks can be made less effective by obfuscating the data to be encoded making it more difficult for an attacker to recognize when the code has been cracked or by making the attacker do more work to test each guess. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.

Brute-force attacks are an application of brute-force search, the general problem-solving technique of enumerating all candidates and checking each one.

« Back to Glossary Index