Skip to Content
Vulnerabilities and Security Testing

What is a brute-force attack?

A brute-force attack is the automated attempt to guess a password or a key by testing many combinations until one works. Today it is almost never blind guessing: the attacker uses lists of passwords already leaked from other sites and fires them by the thousand per second against the company's accounts. It is the most common way in, because it exploits the weakest link of all, the reused password.

Zamak TechnologiesUpdated on July 12, 2026

How a brute-force attack works

Brute force is not a genius cracking a code; it is volume and automation. Bots test combinations without rest, and only one needs to work. When the account's password already circulates on a leaked list, the attack stops being a guess and becomes almost a lookup.

1

Find the target

The username is usually public: a corporate email in the first.last pattern, an exposed login. Half the work is already done, because only the password is missing.

2

Gather the ammunition

Instead of starting from scratch, the attacker buys or downloads lists of passwords leaked in other breaches and dictionaries of common passwords. Billions of credentials circulate for sale, ready to reuse.

3

Automate the attempts

Programs fire thousands of combinations per second, spread across many addresses to avoid notice. What a person would take centuries to try, a machine does in minutes.

4

Get in and move

One right password opens the account, and from there the attacker looks for access to more systems. A single hit on an unprotected login can become the way into the whole company.

Source: OWASP and Verizon's 2025 Data Breach Investigations Report.

Signs the company is under brute force

  • A jump in failed login attempts, far above the normal for a regular day.
  • Accounts being locked out in series for too many password errors, without users having made mistakes.
  • Logins, or attempts, coming from countries and times that make no sense for the operation.
  • “Impossible travel” alerts: the same account accessed from two distant places within minutes.
  • One specific account being hammered again and again, a sign that the target has already been chosen.

The variations of a brute-force attack

  • Simple brute force Tries password combinations one by one. It works against short, obvious passwords; against a long, unique one, it is impractical because of the time it would take.
  • Dictionary attack Instead of any combination, it tests a list of likely passwords: the most common ones, dictionary words, names and dates. It targets the human habit of choosing easy passwords.
  • Credential stuffing The most common form today. It uses username and password pairs already leaked from one site to try logging into others, betting that the person reused the same password. It breaks nothing; it just reuses what already leaked.
  • Password spraying Tries one very common password against many accounts at once, instead of many passwords against one account. That way it avoids lockouts and slips past unnoticed.
  • Reverse brute force Starts from a known password (from a leak) and looks for which account it works on. It flips the logic: the password is the clue, the user is the target.

What is at stake for the business

37%
of attacks on web applications in 2025 were brute force (Verizon DBIR 2025)
88%
of attacks on basic web applications used stolen credentials, not blind guessing (Verizon DBIR 2025)
99.9%
of compromised accounts did not have multi-factor authentication enabled (Microsoft)

The brute-force attack matters because it targets the most used lock in the company: the password. And the numbers show why it works so well. Abuse of stolen credentials is now the number one entry vector, present in 22% of all breaches (Verizon DBIR 2025), and 88% of attacks on basic web applications used stolen credentials rather than blind brute force. The cause is well known: people reuse passwords, so the password leaked from some shopping site becomes the key to the corporate email. When one of those attempts lands, the cost is not abstract: a data breach costs, on average, US$ 4.44 million worldwide (IBM, 2025). The good news is that the most effective defense is cheap: Microsoft reports that 99.9% of compromised accounts did not have multi-factor authentication, the single brake that closes most of these doors.

How to protect against brute-force attacks

No password is long enough to beat, on its own, a patient attacker with a machine. The defense is to stack layers that make the attempt expensive and the hit useless:

  1. Turn on multi-factor authentication (MFA) everywhereIt is the single most effective defense. Even if the password leaks and the attacker gets it right, the second factor (an app or a key) blocks entry. Prefer an authenticator app or a physical key, not SMS.
  2. Limit and lock out attemptsLock the account or impose a wait after a few password errors, and slow the rate of attempts per address. That kills simple brute force and dictionary attacks, which depend on volume.
  3. Require unique, long passwords with a managerOne password per service, generated and stored by a manager, breaks credential stuffing: a password leaked from one site opens no other. Also block passwords already known to be leaked.
  4. Apply least privilegeIf a password is compromised, it must not open everything. Giving each account only the access it needs limits the damage of a hit and contains the attacker before they spread.
  5. Monitor and detect the anomalyWatch for spikes in failed logins, lockouts in series and access from unlikely places. Spotting the pattern of an attack in progress lets you cut access before an attempt lands.

In practice

Does the same password an employee used years ago on some shopping site still protect the company email today? If the answer is yes, or if no one knows, the attacker does not need to break anything: they just reuse what already leaked. Multi-factor authentication and one unique password per service turn that easy hit into a dead end.

How Zamak closes the doors brute force tries

Zamak Technologies works alongside your team, not in its place, to take away what makes brute force work: it turns on and enforces multi-factor authentication, applies least privilege so a stolen password does not open the whole environment, and monitors anomalous access attempts, cutting the attack before it lands. Instead of hoping no one reuses passwords, your company gets the door locked by default. It is part of managed Cybersecurity in the Zamak Method, and a good starting point is the cybersecurity diagnostic.

Frequently asked questions about brute-force attacks

What is a brute-force attack, in one sentence?
It is the automated attempt to discover a password by testing many combinations until one works, today almost always using lists of passwords already leaked from other sites, not guessing from scratch.
What is the difference between brute force and credential stuffing?
Classic brute force tests password combinations until it gets one right. Credential stuffing, its most common form today, does not guess: it takes username and password pairs already leaked from one site and tries them on others, betting the person reused the same password.
Does multi-factor authentication (MFA) stop brute force?
MFA does not stop the attacker from trying, but it makes the hit nearly useless: even with the right password, the second factor is missing. That is why it is the single most effective defense, and Microsoft reports that 99.9% of compromised accounts did not have it enabled.
How long does it take to crack a password by brute force?
It depends on length and variety. A short, common password falls in seconds; a long, unique one would take an impractical amount of time. The catch is that the attacker rarely needs to crack it: if the password already leaked elsewhere, they simply reuse it.
Is a small company a target for brute force?
Yes. The attack is automated and sweeps the entire internet without choosing by the victim's size. Smaller companies tend to have less MFA and less monitoring, which makes them an easier target, not a less wanted one.