What is Brute Force Attack | How to be Secure from Brute Force Attack


Hi friends ,

The easiest kind of hacking a programmer can do is to use  brute force attack  to gain sensitive information about some one , It is applied  to guess the password of any desktop or user name-password pair of any web application.

Brute force technique requires no decoding tool,no PC information and simply nothing.

Brute force technique  strategy is once in a while likewise know a word dictionary attack.


The “Dictionary Attack” method that in which mostly used words are as dictionary to guess the password. method uses mostly words in the dictionary to guess the passwords and may add a number at the beginning or in the end for best guesses.

The “Brute Force” is method like dictionary attach that use a crypt analysis techniques to find the exact match.  Brute Force has more complex word with  all type character set with all type of combination of string and repeatedly matching process until result not found. the time is main component in this attack.

Encryption of passwords

The RC5-72 project shows how quickly passwords can be identified. The goal of the project is to decrypt a message which has been encrypted with a 72 bit key. Do to so, all possible keys are checked until the correct key is found. As in this project different users contribute their computing capacities, they can currently (as of May 08, 2012) try more than 800 billion keys per second. In older projects of this organization, a 56 bit key had been decrypted within 250 days and a 64 bit key within 1,757 days.

Keyword combination and length

With a few calculation examples we will try to show how the length of a password and the number of characters interact in regard to a password’s safety. In the following examples, we calculate with 2 billion keys per second, which a single high-performance computer might approximately manage.

When creating a password you have the following characters which you can use:

  • numbers (10 different ones: 0-9)
  • letters (52 different ones: A-Z and a-z)
  • special characters (32 different ones).

The number of different combinations can be calculated with the following formula:

Different combinations = number of possible characters password length

This results in the following overview – even without considering other factors like dictionary attacks:

Password consists of Possible combinations Max, needed time for cracking
5 characters
(3 lower case letters,
2 numbers)
365= 60,466,176 60,466,176 /
2,000,000,000 =
0.03 seconds
7 characters
(1 upper case letter,
6 lower case letters)
527= 1,028,071,702,528 1,028,071,702,528 /
2,000,000,000 =
514 seconds =
approx, 9 minutes
8 characters
(4 lower case letters,
2 special characters,
2 numbers)
688= 457,163,239,653,376 457,163,239,653,376 /
2,000,000,000 =
228,581 seconds =
approx, 2,6 days
9 characters
(2 upper case letters,
3 lower case letters,
2 numbers,
2 special characters)
949= 572,994,802,228,616,704 572,994,802,228,616,704 /
2,000,000,000 =
286,497,401 seconds =
approx, 9,1 years
12 characters
(3 upper case letters,
4 lower case letters,
3 special characters,
2 numbers)
9412= 475,920,314,814,253,376,475,136 475,920,314,814,253,376,475,136 /
2,000,000,000 =
237,960,157,407,127 seconds =
approx, 7,5 million years

You can see very clearly how the length of the keyword and the use of different character groups affect the security of a keyword.

In the event that sufficient time is given each secret word can be split sooner or later.The time depends vigorously on the intricacy included in picking the watchword. The force and effectiveness of this straightforward calculation can be seen however the way that each watchword can be split through savage power assault gave a sufficient time is given,which halfway means a secret key is 100 % can be broken utilizing this basic system. The procedure is greatly straightforward and an a large number of computerized programming are now accessible on the Internet.

However as a Member of an Ethical group i am interested on giving information about how to avoid it.

So gives us a chance to perceive how we can minimize this.


Its human propensity to inquiry of solace thus does it apply while picking password.At minimum , yaar be particular while picking password.Generally individuals don’t recall muddled secret key and pick, for example, permit number,date of birth,spouse,father name,pet name,gf/bf name etc.As these passwords are simple for u excessively recollect that it is similarly simple for any interested hacker to guess it.

Then again as the programmers are extremely smart,he won’t utilize any web program to figure every client name and secret word .He will be utilizing an automated robotized instrument which can fire more than 1000 passwords mix every moment, with credentials generated from from a large list.

This list is really called as a dictionary..

Again if the attacker gets success in cracking password of any one site he may have the capacity to split all different passwords of different sites as the most people keep same password key for all places.So please companions pick your Passwords security.

A Strong password policy can be as follows..

  • Must contain at least 7 characters..
  • Must contain at least single uppercase letter
  • Must contain at least single lowercase letter
  • Must contain at least single digit
  • Must contain at least single special characters

A password like root$000islocal will generate 1 3.5452 x 10^16 combination through brute force attach and about 3.7558 x 10^19 through dictionary attack and would require approx. 1124.2 Years  at 100 passwords per second to crack on normal machine and at least 8 continuous days at 1000000 passwords per second on a highly powerful machine.

Again my password M!c12@isbest will require in 8.3710 x 10^15 Years.

To check ur password strength pls click here.

The above policy may seem strict but will guarantee you that it will not be able to cracked easily. A password with 7 digits having a mixture of lowercase letter,uppercase letter, special symbols generated more than 70 trillion combinations and requires more than 10000 years of human time through a dictionary attack.

Many organization uses Intrusion Detection System (IDS) to monitor a high number of request from a same user but this is not sufficient to prevent brute force attack as the band with of the automated tool can easily be controlled.


As disused above password is the main half data the other half is the user name.

While picking user name is likewise similarly important.The same arrangement can be connected while picking user names too.

Some web improvement devices or systems actualize default settings which is a simple focuses for any keen programmer.

User names can likewise be speculated and along these lines is more unsafe than passwords as a default titles like administrator or head gives a more favored rights.If the programmer has the capacity lo gin through these managerial rights he may accomplish more harm than ordinary users accounts.

Adjacent to regulatory records users records are additionally effortlessly hackable.Normally the users pick names,email ids,phone number as their user names(remember face book).Here by and by the user apathy is again profited to the aggressor. Alternate routines can be handicapping the record after a limited number of fizzled lo gin endeavors happens however this makes an alternate kind of assault known as foreswearing of administration attack(DOS).

Above all else in this kind of preventive measures the aggressor may get disappointed as though assume if after a 3 wrong endeavors bolts the record for few hours utilizing mechanized device for savage driving at the rate of 100  will increment from a solitary seconds to numerous days.

The reaction of this is the honest to goodness user will be denied by the administration as the robotized instrument continues endeavoring incorrectly watchword and locking it continuously,the real user won’t find the opportunity to utilize the administration.

Again bolting is carried out to keep the watchword speculating however suppose it is possible that the aggressor is entombs ted in user name. As opposed to fluctuating the secret word this time he will differ user names and he will fire more than thousand of appeal and the framework will enroll just single fizzled footing every record.

An alternate technique can be utilizing incremental defer as a part of sending response.1 second postpone for first wrong attempts,2 second defer for second wrong endeavor thus on.The user can hold up for few seconds rather holding up hours in the wake of locking however the mechanized programming will experience the ill effects of this postponement.

There hindrances of the above strategy can be as the framework needs to keep the track of the sending  application however the computerized device can be arranged to send new session every time an appeal is end to the server.

The user can likewise be followed by the ip address however there is numerous circumstances when various user offers same ip location or the single user can utilize distinctive ip address.

However this is in any event better technique for guarding against beast power assault than locking the records.


The last methods can be showing the fitting slips when a fizzled lo gin endeavor happens.

Consider the two blunders messages.

Wrong secret key.

The primary message let us know all that the user name is not existing in the framework thus he will moved to the following user name and would a considerable measure of time while attempting to figure the secret word for that record.

The second message lets us know that the user name does exist yet the secret key isn’t right consequently the programmer now know the user name is right he simply always applies the watchword splitting systems.

Mistake messages like ” User name and Password don’t coordinate ” can be utilized to report fizzled lo gin.No one can figure from this blunder message whether the user name isn’t right or the secret key.