Brute Force Attack: Preventing Trial-and-Error Logins

During a brute force attack, a hacker attempts to guess your usernames and passwords.

Savvy hackers use tools to lighten their workload and speed up the guessing game. But even with sophisticated tools, it can take some hackers hours, days, weeks, or even months to hit the right combination.

With the right username/password, a hacker can scout around your system just like a verified user. If the intruder is lucky and guesses the combination for someone with plenty of security clearance, the results can be devastating.

Every year, cloud accounts that are compromised via brute force attacks cost companies an average of over $6 million.

How do brute force attacks work?

A hacker with skill, time, and a bit of luck can bombard your server with thousands of attempted logins. One of those combinations could be successful, and if it is, the hacker gets inside.

No username/password combination is completely hackproof. Given enough time, attackers can crack any combination.

Some hackers do their work manually. They may start with the items they know, such as:

  • Username structure. They may know that you require an email address login, or they may know that blending last names and first initials makes up most of your usernames. 
  • Password rules. They may know how long your passwords must be, and they may know the combination of dates, symbols, and letters that you require. 
  • Existing passwords. They may know a password that works for one person on your team.

Other hackers lean on tools that run login attempts automatically. Experts say there are at least nine of these tools, and while they should be deemed illegal and impossible to find, most can be downloaded online and put to use right away.

A hacker with an automated tool sets up a scan, walks away, and hopes the program strikes gold eventually.

Brute force attack types

Whether a hacker leans on tools or attempts a manual attack, that person must pick an approach to guide the work.

Common types of brute force attacks include:

  • Dictionary. The hacker chooses one target (typically someone with a high clearance level) and runs every possible password combination at that username. 
  • Reverse. The hacker starts with one known password. Then, the hacker attempts to find the username that it belongs to. 
  • Simple. The hacker uses logic and time to guess the right combination. If your passwords are simple, you make a hacker's job easy. 
  • Stuffing. The hacker uses a username/combination that worked elsewhere.
  • Hybrid. The hacker combines approaches to find one that works best for your security system and company.

These methods may seem crude. While they do rely on luck (more than expertise), remember that they can be remarkably effective. And depending on how well you secure your corporate resources, a hacker who gains access into one account may be able to access your servers, customer information, and more.

8 ways to prevent brute force attacks

Hackers want into your servers, and you want to keep them out. You have plenty of options to help you protect what's yours.

Prevent a brute force attempt via:

  • Advancements. Craft hard password rules. Require employees to make passwords 10 characters or longer, and include symbols and numbers in them. Passwords like this take much longer to crack. 
  • CAPTCHA. Humans struggle with CAPTCHA, but computers can't handle them at all. Ensure that your hackers can't run programmed attacks against your server, and require a correct entry after failed attempts to log in. 
  • Deletions. Employees come and go, and sometimes, you lose many people all at once. As soon as someone leaves your company, remove their usernames and passwords from your system. Check out Okta Lifecycle Management for an automated deprovisioning solution.
  • Encryptions. Don't leave your passwords unprotected on your servers. Store them in an encrypted state. Better yet, salt them with a random string of numbers and letters so they're even harder to crack. 
  • Restrictions. Don't let the same user try to guess a password over and over again. Require a cool-off period after three attempts. 
  • Two factors. Don't rely on usernames/passwords alone. Ask your employees to register their devices, or gather biometric data and include it in your login processes. 
  • Uniqueness. More than half of all people use the same password on more than one site. Ensure that all of your passwords are unique to the system in which you're working. Use a password manager if it's too hard to remember each credential. And ensure that everyone in your company follows this rule.

Your employees and customers may complain about your tightened security. We all want to get into and out of our systems as quickly as we can.

But remind everyone you work with that you're attempting to keep your data safe and secure. Rely on their help, and explain why it's important. You could help to shift the culture of your company.

Get even more help

Some experts believe that username/password combinations are inherently insecure, and that a passwordless future is ahead of us. To make that work, you'll need strong systems, plenty of training, and a team of support.

At Okta, we can help with that. Learn more.


Brute-Force Attacks Explained, and Why They Are on the Rise. (June 2020). CSO.

Compromised Cloud Costs Orgs $6.2 Million Annually. (June 2021). Security Boulevard.

Blocking Brute Force Attacks. OWASP.

Popular Tools for Brute-Force Attacks (Updated for 2020). (September 2020). Infosec.

Online Security Survey. (February 2019). Google.

One in Four Workers Plans to Quit Post-Pandemic. (February 2021). Human Resource Executive.

How Good Are Humans at Solving CAPTCHAs? A Large-Scale Evaluation. Stanford University.