How brute-force attacks reveal your passwords

Tips & tricks
6 mins
Brute-force password cracking: A hammer cracking a padlock.

A brute-force attack is an attempt to discover—or “crack”—your password through repeated guessing.

On public-facing login screens, most web services limit the number of times someone can attempt to guess your password. Google and Facebook, for instance, will only allow a few wrong answers before locking an account down entirely.

But if a hacker obtains the internal database of a company, which often happens after massive data leaks, they will be able to guess as many times as they like, hundreds of thousands of times per second.

What is brute-forcing?

Brute-forcing is the act of cracking a password by trial and error. We call it “brute”-forcing because—in theory—it requires no intelligence. The algorithm can be as “dumb” as this:

  1. Take a list of all possible combinations of characters
  2. Try the first one
  3. Did it work? If not, try the next one
  4. Go to step 3

In practice, however, brute-force password cracking algorithms are smarter than this. They often use special lists of common words and previously cracked passwords to reduce the time it takes to crack your password.

How long does it take to crack a password by brute-force?

How quickly a brute-force attack can crack your password depends mainly on three things: how large the space of possible passwords is, how fast the attacker’s computer hardware is, and how much information the attacker knows about the password.

Longer password = more time to brute-force

Let’s pretend a password can only be one character, chosen out of 26 lowercase letters (a-z). If you had to guess this “password” by brute-force, you would be able to do it in an average of 26/2 = 13 guesses.

A two-character password like this would have 26×26 possible options and would take an average of (26×26)/2 = 338 attempts to decipher.

The formula c=(m^n)/2 describes the relationship between the possibilities for each character (m), the password length (n) and the expected number of guesses (c).

As the length of the password (n) increases, the number of expected guesses increases exponentially.

The complexity of the password (m) is also important, but less so. For example, allowing uppercase letters (increasing m from 26 to 52) makes the password 16 times more difficult to crack. That may seem like a lot, but adding one character of length (increasing n from 4 to 5, say), makes it 26 times more difficult to crack.

This explains why, when choosing a password, it is usually better to add more letters than to change one to a special character.

Faster hardware = less time to brute-force

A regular computer can make about 100,000 guesses per second. This renders any password shorter than 5 characters fairly useless. Using the formula above (where m=67 and n=4):

c = (67^4)/2 = 10,075,560.5 guesses
10,075,560.5 / 100,000 = 100.7 seconds, or a little under 2 minutes to guess

A dedicated GPU could be 100 times faster than this, and it’s possible to create a password cracking farm with hundreds of GPUs.

If we assume the attacker has a regular computer, capable of 100,000 guesses per second, any lowercase password with less than six characters will take less than one minute to crack.

But the solve-time increases exponentially as you add more characters, and an eight-character password would take 12 days to crack. A 12-character password would take over 12,000 years.

Whether a 12-character password is enough depends on the value of what it protects and the scale of the attack. If attackers are only after a single target, a 12-character password might be within their reach.

It’s crucial, then, to protect valuable data (such as personal information or Bitcoin private keys) with far longer passwords. When encrypting your Bitcoin wallet, for example, a key of over 32 characters might be a good idea.

More info = less time to brute-force

The above calculations assume that the attacker does not know anything about the password, other than whether it includes uppercase or lowercase or special characters.

In reality, the attacker can shorten the number of guesses by using lists of common words and previously used passwords obtained in security breaches. These are called dictionary attacks and they are probably the most common tool in a brute-force attacker’s arsenal.

Password crackers can use other methods to augment their brute-force attack, such as the fact that people tend to choose passwords that only have numbers at the end (such as hello111) and/or include the name of the service or URL somewhere (such as gmailpanther1234). These are called hybrid brute-force attacks.

People also tend to use names of their pets or children as passwords, sometimes in combination with birth dates or years, making their password easier to guess than people might think, especially in targeted attacks.

How to defend against brute-force attacks

There are a few things that can be done to guard against brute-force attacks, both for the person creating the password and the website responsible for protecting it. Let’s start with the latter.

How salting and hashing protects against brute-force attacks

When websites store your passwords, they should (but don’t always) hash the user passwords, so that somebody in possession of the user database can’t use it.

Hash functions, such as SHA-256, are cryptographic functions. Any piece of data, text, image, or number can be “hashed,” and no matter how long the input is, the result will always be 256 bits in length. When encoded in hexadecimal (like below), this results in a 64-character string.

PasswordSHA-256 Hash
ExpressVPN8d10b64d749d7e276df16d3c50d13f0f70574da20fd464b750ad09ca8b3781ff
ExpressVPN!cefa82ba9be993405d869295c7b2bcd070de0190b4631dc2e607272b2bfc962e
i-love-expressvpncda9020e1765e2fe01098d9143ce2514b0f3c71927501866b28c870c0e8a60cd
I-LoVE-ExpressVPN_3876sd23%4!1dba432b90623776fbf887b094b06398b99472da501049d6b3303959b4470761

Hashing is a one-way function, meaning it is easy in one direction, but hard to reverse. Given a stolen database of hashed passwords, it would be infeasible to attempt to decode each one.

Because people tend to reuse their passwords, however, attackers often don’t have to. They can hash a list of common passwords then search for those hashes.

That’s where salting comes in. A salt is a random number that is combined with a password and then hashed, producing unique hashes even for the same password.

Learn more about salting and hashing passwords.

How strong passwords protect against brute-force attacks

The most effective thing you as an individual can do to defend against brute-force cracking is choose strong passwords.

As we discussed above, making your passwords longer is usually the best way to increase the time it would take to guess them. But it’s also important that your passwords are unique, otherwise they could turn up in a hacked database somewhere.

Remembering multiple long, unique passwords is a tough task for humans, so we recommend using a random password generator to conveniently suggest long and unique passwords.

If you then store those passwords with a password manager, you will only need to remember a single password (which you could generate with Diceware, to make it extra secure). In addition, two-factor authentication helps protect accounts against even more sophisticated attacks, such as passwords obtained through phishing attacks.

Learn more about the importance of strong, unique passwords.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.