Introduction
At 3:14 AM, no one is watching the authentication logs. A script running on a rented cloud instance sends its ten-thousandth login attempt to a VPN portal. At 3:17 AM, it gets a response that's different from the others. Access granted. There is no malware, no social engineering, no insider threat. Just a weak password, automated patience, and a gap in monitoring.
One in three successful attacks against web applications now begins the same way: an automated script cycling through credentials until something works. According to the 2025 Verizon Data Breach Investigations Report, brute force attacks against basic web applications nearly tripled over the last year — jumping from roughly 20% to 60%. It's a signal that automated credential attacks have become a primary weapon, not a fallback.
The underlying mechanics haven't changed: try combinations until one works. What has changed is the speed, scale, and intelligence behind those attempts. Modern GPU clusters, AI-assisted wordlist generation, and botnets spanning millions of compromised devices have transformed what was once a slow, noisy attack into something fast, distributed, and difficult to detect.
This article covers what brute force attacks are, how they’ve evolved in 2026, the six main variants, real-world examples from 2025–2026, and a layered defense strategy your team can implement today.
Key takeaways
- Brute force attacks are automated credential attacks — scripts systematically cycle through username and password combinations until one works, exploiting weak, reused, or predictable passwords rather than software vulnerabilities.
- Six distinct variants target different weaknesses: simple brute force, dictionary attacks, credential stuffing, password spraying, reverse brute force, and hybrid attacks — each designed to bypass a specific set of defenses.
- Modern hardware has made weak passwords indefensible: a GPU cluster can crack an 8-character MD5-hashed password in minutes. Password length and secure hashing are what determine real-world resistance.
- Layered defenses work but only when consistently enforced. MFA, strong password policies, breach database screening, account lockouts, rate limiting, and a password manager collectively make brute force attacks impractical. Any single gap is enough for an attacker to exploit.
- Detection is a preventive control, not just a reactive one. Recognizing attack signatures — failed login spikes, low-and-slow spraying patterns, impossible travel — gives your team time to block the source before credentials are validated.
- A password manager is the structural fix for credential reuse — the root cause behind credential stuffing. For teams, it also enforces rotation, flags compromised credentials, and closes the offboarding gap that leaves stale credentials valid for years.
What is a brute force attack?
A brute force attack gains unauthorized access to a system by systematically trying every possible combination of credentials (usernames, passwords, or encryption keys) until the correct one is found. It exploits human behavior: weak, reused, or predictable passwords.
Think of it as trying every key on a keyring. Given enough time and computing power, one will eventually fit. The attacker's goal is to reduce that time to something practical and in 2026, modern hardware makes that increasingly achievable.
Brute force attacks target authentication endpoints: login pages, SSH and RDP services, VPN portals, API gateways, and admin panels. Any system that accepts a username and password is a potential target.
How brute force attacks work in 2026
At its core, a brute force attack is automation at scale. An attacker deploys a script or tool that sends credential combinations to a target system's authentication endpoint in rapid succession. The script logs successful matches and moves on.
What separates 2026 from a decade ago is the infrastructure behind those scripts.
The AI and hardware factor
Modern graphics cards (originally designed for gaming and machine learning) are exceptionally efficient at parallel computation, which is exactly what password cracking requires. A cluster of 12 NVIDIA RTX 5090 GPUs can test hundreds of billions of MD5 hash combinations per second (Hive Systems, 2025).
Against weakly hashed credentials, an 8-character password falls in minutes — or less. Against bcrypt with modern cost settings, the same hardware may take years. The difference isn't the attacker's hardware. It's whether the target system stores passwords securely.
Machine learning models trained on leaked password datasets (tools like PassGAN, built on generative adversarial networks) learn real-world password distributions without human-written rules. They predict likely patterns: birthdays appended to names, common character substitutions, culturally specific phrases.
In testing against the RockYou breach dataset, PassGAN matched 47% of real passwords. Сombined with conventional cracking tools, it uncovered 24% more matches than either approach alone. The search space doesn't shrink by brute force — it shrinks by prediction.
The quantum threat
Quantum computing uses quantum-mechanical phenomena to process information in ways classical computers cannot. Where a classical processor works through possibilities sequentially, a quantum system evaluates many states simultaneously. Applied to cryptography, that parallelism becomes a direct threat to the mathematical problems that underpin current encryption.
Quantum computing introduces a longer-term risk. IBM's quantum roadmap projects that cryptographically relevant quantum computers could undermine current asymmetric encryption standards within this decade.
Quantum attacks on hashed passwords remain theoretical, but organizations managing long-lived secrets and encryption keys should begin evaluating post-quantum cryptography standards — NIST finalized its first post-quantum standards in 2024.
Botnets and distributed attacks
A botnet is a network of compromised devices (servers, routers, IoT endpoints, personal computers) controlled remotely by an attacker without their owners' knowledge. Each device acts as an independent node, capable of sending requests, probing systems, or submitting login attempts. The scale can reach millions of machines operating in coordination.
Attackers rarely operate from a single IP. Modern brute force campaigns use botnets to distribute login attempts across different source addresses, bypassing IP-based rate limiting and geographic blocking.
In early 2025, the Shadowserver Foundation tracked a campaign using 2.8 million IP addresses daily to target VPN login portals from Palo Alto Networks, Ivanti, and SonicWall (BleepingComputer).
The attacking nodes were predominantly compromised MikroTik, Huawei, and Cisco routers — hijacked devices spread across dozens of countries, with the largest cluster originating from Brazil. The traffic was routed through residential proxy networks, making each attempt appear to come from a regular home user rather than a bot. Standard IP-based defenses saw what looked like normal traffic.
Types of brute force attacks
Brute force attacks share one principle: gain access by systematically testing credentials until something works. The methods differ in what they test, how they source their data, and which defenses they're designed to bypass.
1. Simple brute force attack
The most straightforward variant: every possible character combination is tried in sequence — aaa, aab, aac — until a match is found. No prior knowledge of the target is required. The attack relies entirely on computational power.
It is effective only against short or simple passwords. Against an 8-character password using mixed characters, modern GPU clusters can complete the search in hours. Beyond 12 characters, the same approach becomes computationally impractical — the search space grows exponentially with each added character.
2. Dictionary attack
A dictionary attack replaces exhaustive enumeration with a curated list of likely passwords (words, phrases, and known credentials) dramatically narrowing the search space. The attacker bets on human predictability rather than raw computation.
These lists range from basic compilations of the 10,000 most common passwords to multi-gigabyte datasets built from leaked credentials, regional slang, and industry-specific terminology. Any password that resembles natural language is vulnerable. Randomness is the only reliable defense.
3. Credential stuffing
Credential stuffing is the automated reuse of username and password pairs stolen from previous data breaches. Attackers take username and password pairs and test them against other services, exploiting the fact that many users reuse the same credentials across multiple accounts.
In July 2024, a compilation of nearly 10 billion unique passwords — dubbed RockYou2024 — was posted on a criminal forum, providing attackers with an unprecedented pool of credentials to work from (Cybernews, 2024).
Understanding the dangers of password reuse is essential context here — a single compromised account on one platform can cascade into access across an entire digital footprint.
4. Password spraying
Password spraying inverts the typical approach. Rather than trying many passwords against one account (which triggers lockouts), the attacker tries one or two common passwords — Password1!, Welcome2026 — across thousands of accounts.
It stays below lockout thresholds and is particularly effective against large organizations with weak password policies. Over 97% of identity attacks involve password spray or brute force, according to Microsoft Digital Defence Report 2025.
5. Reverse brute force attack
A reverse brute force attack starts with a known password (typically sourced from a breach or a known default) and tests it systematically against a list of usernames. The credential is fixed; the identity is the unknown.
This method is most effective when the target password is widely shared: a default corporate password distributed during onboarding, a common pattern mandated by a weak policy, or a credential that appeared in a previous leak. Where a standard attack probes one account deeply, a reverse attack probes many accounts with surgical precision.
6. Hybrid brute force attack
A hybrid brute force attack combines dictionary words with programmatic mutations — appending numbers, years, or special characters (Summer2026!, admin@123), substituting letters with symbols, or shifting capitalization. It is designed to crack passwords that appear complex but follow predictable construction patterns.
These attacks target the gap between password policy and human behavior. When users are required to "complicate" a password, they rarely introduce true randomness — they append 1! to a familiar word or capitalize the first letter. Hybrid attacks are built to exploit exactly that instinct, making rule-based complexity requirements a weaker defense than length alone.
Brute force attack comparison table
| Attack type | Methodology | Primary target | Best defense |
|---|---|---|---|
| Simple brute force | Exhaustive character enumeration | Single account | Account lockout, long passwords |
| Dictionary attack | Predefined word/phrase lists | Single account | Passphrases, blocklists of common passwords |
| Credential stuffing | Stolen username/password pairs | Multiple accounts across services | MFA, breach database checks |
| Password spraying | Few passwords, many accounts | Entire organization | MFA, blocking common passwords |
| Reverse brute force | Known password, unknown username | User directory | Username enumeration prevention |
| Hybrid attack | Dictionary + rule-based mutations | Single or multiple accounts | Long passphrases, password managers |
Managing credentials across a large team creates exactly the attack surface brute force campaigns exploit. See how Passwork structures team vaults with role-based access and enforced password policies
Real-world brute force attack examples (2025)
Brute force and credential stuffing attacks continue to be a significant threat, evolving in sophistication and scale. The following cases from 2025 and 2026 highlight the persistent risks and the critical importance of robust authentication and security practices.
Australian superannuation funds — March 2025
Attack type: Credential stuffing (coordinated, multi-target).
Over the weekend of 29–30 March 2025, five major Australian pension funds (AustralianSuper, REST Super, Hostplus, Australian Retirement Trust, and Insignia Financial) were simultaneously targeted using combo lists from unrelated prior breaches. Over 20,000 accounts were compromised.
Four AustralianSuper members collectively lost AUD 500,000. REST shut down its MemberAccess portal entirely after ~8,000 members had personal data exposed.
Source: BleepingComputer (April 2025)
23andMe — 2023 → regulatory consequences in 2025
Attack type: Credential stuffing
Between April and September 2023, attackers tested credentials from unrelated breaches against 23andMe accounts. Through the DNA Relatives feature, initial compromises cascaded into exposure of genetic and ancestry data belonging to approximately 6.9 million users — most of whom had never been directly targeted.
Source: ICO penalty notice (June 2025)
"Mega Leak" — 16 billion credentials exposed — June 2025
Attack type: Credential stuffing (source data)
In June 2025, Cybernews researchers discovered ~30 datasets containing over 16 billion login records — URLs, usernames, and plaintext passwords. The data was harvested primarily by infostealer malware targeting consumer devices. Platforms affected included Google, Apple, Facebook, and others. Notably, BleepingComputer confirmed the datasets include a significant proportion of recycled credentials from older breaches, meaning not all records represent fresh exposures.
Source: Cybernews (June 2025), BleepingComputer (June 2025)
Jaguar Land Rover — March 2025 + September 2025
Attack type: Credential stuffing / stolen credentials (infostealer-sourced)
In March 2025, the HELLCAT ransomware group breached JLR using stolen Jira credentials harvested via infostealer malware. Threat actor "Rey" leaked ~700 internal documents on 10 March. Days later, a second actor "APTS" used credentials dating back to 2021 — belonging to a third-party contractor — to access the same Jira server and leak an additional ~350 GB of data including source code, development logs, and employee records.
In September 2025, a separate attack attributed to a group calling itself "Scattered Spider Lapsus$ Hunters" shut down global IT systems and halted manufacturing at the Halewood plant, with employees sent home.
Source: CYFIRMA investigation report (September 2025)
Summary table
| Incident | Year | Attack type | Impact | Key failure |
|---|---|---|---|---|
| Australian super funds | 2025 | Credential stuffing | 20,000+ accounts; AUD 500K stolen | MFA available but not enforced |
| 23andMe | 2023/2025 | Credential stuffing | 6.9M records; £2.31M fine; bankruptcy | No mandatory MFA for sensitive accounts |
| "Mega Leak" | 2025 | Credential stuffing (source data) | 16B records exposed | Infostealer malware; no MFA on targeted services |
| Jaguar Land Rover | 2025 | Credential stuffing | ~350 GB leaked; production halted | Stale credentials from 2021 still valid; no MFA on Jira |
How to detect a brute force attack
Prevention is the goal, but detection is the safety net. Brute force attacks leave consistent signatures in authentication logs — if you know what to look for.
- Spikes in failed login attempts — A sudden increase in authentication failures against a single account, or spread across many, is the most direct indicator. Establish a baseline for your environment and alert on deviations.
- Multiple lockouts from the same source IP — Even distributed attacks leave partial patterns. Repeated lockouts originating from the same IP range or ASN (Autonomous System Number) suggest automated activity.
- Impossible travel — A user authenticating from London and then from Singapore within 30 minutes triggers an automatic flag in modern SIEM and identity platforms. The signal alone is not conclusive: VPN exit nodes, split-tunneling configurations, and cloud proxy services routinely produce false positives. The value is in the investigation it prompts — not the assumption it confirms.
- High request volume to authentication endpoints — Hundreds of POST requests per minute to
/loginor/api/authfrom a single source is not organic traffic. Monitor your login endpoints for request rates that exceed human typing speed. - Distributed low-and-slow patterns — Password spraying specifically avoids triggering per-account lockouts. Look for a pattern where many different accounts each receive exactly one or two failed attempts within a short window — this is the spraying signature.
- Unusual user-agent strings or missing headers — Automated tools often send requests with generic or absent user-agent strings, missing standard browser headers, or with unusual TLS fingerprints.
How to prevent brute force attacks
Defense against brute force is a stack. Each layer compensates for the weaknesses of the others.
Enforce strong password policies
Length matters more than complexity. A 16-character passphrase is exponentially harder to crack than an 8-character string of mixed characters. Move your organization away from minimum-length policies that technically permit P@ssw0rd and toward minimum-entropy policies that require genuine unpredictability. Review enterprise password management best practices for a structured framework.
Key requirements per NIST SP 800-63B:
- Minimum 15 characters for accounts without MFA; minimum 8 with MFA enforced
- No arbitrary complexity rules that produce predictable patterns
- Maximum length of at least 64 characters to support passphrases
- Block passwords that appear in breach databases — check new credentials against services like Have I Been Pwned at the point of creation, not after the fact
Screen credentials against breach databases
Before a password is accepted, verify it hasn't already appeared in a known data breach. NIST SP 800-63B and OWASP both require this as a distinct control — separate from password length or complexity rules. An attacker running a dictionary attack against your systems is working from the same leaked datasets. Blocking those passwords at registration removes them from the attack surface entirely.
Implement multi-factor authentication
MFA is the single most effective control against credential-based attacks — a compromised password alone is not enough for access. That said , MFA is not infallible. MFA fatigue attacks — where attackers send repeated push notifications until a user approves one out of frustration — have bypassed MFA at major organizations. Phishing-resistant MFA methods such as FIDO2 and passkeys eliminate this vector entirely.
Configure account lockouts and progressive delays
Configure authentication systems to lock accounts after a defined number of failed attempts (typically 5–10), or implement progressive delays that increase exponentially with each failure. Progressive delays are often preferable to hard lockouts, which can themselves be weaponized for denial-of-service against legitimate users.
Apply rate limiting at the IP and ASN level
Account lockout protects individual accounts. Rate limiting protects the authentication endpoint itself. These are different controls with different targets. Restrict the number of login requests per IP address per time window. Escalate to ASN-level blocking when distributed patterns emerge.
Deploy CAPTCHA and bot management
CAPTCHA challenges differentiate human users from automated scripts at the authentication layer. Modern bot management platforms go further, analyzing behavioral signals — mouse movement, typing cadence, TLS fingerprints — to identify non-human traffic before it reaches the login form.
Implement zero trust architecture
Zero trust operates on the principle that no user, device, or network segment is inherently trusted. Even after successful authentication, access is continuously verified based on context: device health, location, behavior, and least-privilege access rules. If a brute force attack does compromise one account, zero trust limits the blast radius by preventing lateral movement to other systems and resources.
Monitor authentication logs and alert on anomalies
Detection is a preventive control, not just a reactive one. Catching an attack in progress gives your team time to block the source, invalidate sessions, and contain the damage. Configure SIEM alerts for: spikes in failed authentication attempts, impossible travel events, high request volume to login endpoints, and the low-and-slow spraying pattern where many accounts each receive exactly one or two failures within a short window.
Use a password manager
Password reuse is the fuel that makes credential stuffing viable at scale. When one breach exposes a credential, every other service where that password is reused becomes vulnerable — automatically, without any additional effort from the attacker. A password manager eliminates this by generating and storing a unique, high-entropy password for every account, making reuse structurally impossible.
For individual users, any reputable password manager achieves this. For teams and organizations, the requirements are different and the stakes are higher.
Passwork is built specifically for this environment. It gives IT teams a centralized, structured vault where credentials are organized with granular, role-based access control: each user sees only what their role permits, nothing more. Shared credentials are stored in shared vaults with defined permissions.
Several of Passwork's features directly address the attack vectors covered in this article:
- Customizable password generator — enforces length and complexity requirements at the point of creation, so policy compliance isn't left to individual judgment.
- Password security dashboard — continuously tracks the status of all stored credentials, flagging weak, reused, outdated, and potentially compromised passwords across the entire vault. When an employee leaves, Passwork automatically marks every credential they had access to as potentially compromised and prompts rotation.
- Zero-knowledge client-side encryption — credentials are encrypted on the client side before they ever reach the server. Even with full access to the database or underlying infrastructure, an attacker retrieves nothing readable. The encryption key never leaves the user's device.
- Full audit log — every action in the vault is logged: who accessed what, when, and from where. This is the visibility layer that makes post-incident investigation possible and supports compliance with GDPR, NIS2, and similar frameworks.
- Two-factor authentication, passkeys, and hardware security keys — Passwork supports 2FA via authenticator apps and WebAuthn-based authentication including biometrics and FIDO2 hardware keys, adding a second layer beyond the vault password itself.
- Configurable account lockout — administrators set the threshold of failed login attempts after which an account is locked. This applies brute-force and credential stuffing protection at the vault level itself — not just at the network perimeter.
- Self-hosted deployment — Passwork runs entirely within your own infrastructure. Credential data never leaves your environment, is encrypted with AES-256 on both server and client sides (zero-knowledge architecture), and is managed exclusively by your team.
The JLR breach illustrated what happens without this structure: credentials from 2021 belonging to a third-party contractor were still valid four years later, with no rotation and no MFA on the Jira instance. A centralized vault with enforced rotation policies and an offboarding workflow would have closed that window before it was exploited.
Conclusion
Brute force attacks have become more scalable in practice. Cheap GPU compute, AI-assisted wordlist generation, and massive botnets mean that what once required significant resources now requires almost none. The 37% share of web application attacks attributed to brute force in the 2025 Verizon DBIR is the result of that accessibility.
The good news: the defenses work. MFA, strong and unique passwords, account lockout policies, and behavioral monitoring collectively make brute force attacks impractical against a hardened target. Attackers move toward lowest resistance — which means organizations that implement layered authentication security effectively remove themselves from the easy-target pool.
The real risk is that they're inconsistently applied — one team using MFA, another not. Shared credentials stored in spreadsheets; password policies that exist on paper but aren't enforced technically. Closing those gaps is where the real work lies.
Passwork gives IT teams a structured, auditable credential vault with role-based access — built for the environments where inconsistency creates risk. Full self-hosted deployment and zero-knowledge encryption — on your infrastructure from day one. Get free trial
Frequently asked questions
What is the difference between a brute force attack and a dictionary attack?
A simple brute force attack tries every possible character combination systematically, with no prior knowledge. A dictionary attack uses a curated list of likely passwords — common words, known phrases, leaked credentials — to reduce the search space. Dictionary attacks are faster and more targeted; simple brute force is exhaustive but slower. Both are defeated by long, random passwords that don't resemble natural language.
Can brute force attacks bypass MFA?
Standard brute force cannot bypass MFA directly — a correct password alone isn't enough for access. However, attackers use adjacent techniques: MFA fatigue (sending repeated push notifications until the user approves), real-time phishing (capturing and replaying MFA tokens), and session hijacking (stealing authenticated session cookies after login). Phishing-resistant MFA methods such as FIDO2 hardware keys and passkeys eliminate the phishing and fatigue vectors entirely.
Are brute force attacks illegal?
Yes. Unauthorized brute force attacks against systems you do not own or have explicit permission to test are illegal under computer fraud legislation in most jurisdictions — including the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the United Kingdom, and the EU Directive on Attacks Against Information Systems (2013/40/EU). Penalties include significant fines and imprisonment. Authorized penetration testing requires written permission from the system owner.
How long does it take to crack a password with brute force?
It depends on password length, character set, and how the hash is stored. A 8-character MD5-hashed password falls in under an hour against a modern GPU cluster. The same password hashed with bcrypt at a high cost factor may take years on the same hardware. Length is the most reliable variable under your control: every additional character multiplies the search space exponentially. A 16-character passphrase against bcrypt is computationally impractical to crack with current hardware.
What is credential stuffing and how does it differ from brute force?
Credential stuffing uses verified username/password pairs from previous data breaches and tests them against other services. It doesn't guess — it reuses. Brute force generates or cycles through combinations without prior knowledge of valid credentials. Credential stuffing is faster and more targeted because it works with real credentials, and it succeeds specifically because of password reuse across services.
What systems are most commonly targeted by brute force attacks?
Authentication endpoints with public exposure carry the highest risk: SSH and RDP services, VPN portals, web application login pages, admin panels (WordPress /wp-admin, cPanel), and API authentication endpoints. The 2025 campaign utilizing 2.8 million IPs focused specifically on VPN gateways and firewalls — perimeter devices that, if compromised, provide direct access to internal networks.
Brute force attacks in 2026: What they are and how to stop them
GPU clusters, AI-assisted wordlists, botnets of 2.8M devices. Brute force has scaled. This guide covers six attack variants, real-world cases from 2025, and a layered defense strategy your team can implement today.
