Home/ Glossary/ Brute Force Attack

Brute Force Attack (Brute Force Attack)

Security Glossary - Web Security

Definition: A brute force attack is a trial-and-error method where an attacker systematically tries every possible password, key, or credential combination until finding the correct one. Credential stuffing - using leaked username/password pairs from data breaches - is a related technique that is often more efficient than pure brute force.

Why You Should Care About Brute Force Attack

Brute force attacks target any authentication mechanism: login forms, API keys, session tokens, and encrypted data. With automated tools, attackers can try thousands of passwords per second against a login endpoint that lacks rate limiting.

Credential stuffing is particularly effective because many users reuse passwords across services. When credentials from one breach (like a compromised social media site) are tested against other services (like email or banking), a significant percentage of accounts are compromised.

Defenses include rate limiting (restricting login attempts per IP and per account), account lockout policies, CAPTCHA after failed attempts, multi-factor authentication (which makes stolen passwords insufficient), and monitoring for unusual login patterns (multiple accounts from one IP, logins from unusual locations).

How to Test for Brute Force Attack

A security audit checks for rate limiting on authentication endpoints and the presence of CAPTCHA or other brute force defenses. Test by making rapid login attempts to see if throttling is applied. Implement multi-factor authentication for the strongest protection.

Run a Security Audit

Questions and Answers

How do I protect against brute force attacks?
Implement rate limiting on login endpoints (5-10 attempts per minute per IP), add CAPTCHA after 3-5 failed attempts, implement account lockout after 10 failed attempts, and strongly encourage or require multi-factor authentication.
Is account lockout a good defense?
Account lockout prevents brute force against a specific account but can be used for denial-of-service (locking out legitimate users). Use progressive delays (1 second, 2 seconds, 4 seconds, etc.) rather than permanent lockout. Combine with CAPTCHA for better balance.

Learn More

Rate Limiting Denial of Service Attack Web Application Firewall Cookie Security Flags OWASP Top 10
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.