A brute force attack consists of trying every possible code, combination, or password until the right one is found.
Determining the Difficulty of a Brute Force Attack
The difficulty of a brute force attack depends on several factors, such as:
- How long can the key be?
- How many possible values can each key component have?
- How long will it take to attempt each key?
- Is there a mechanism that will lock the attacker out after a number of failed attempts?
As an example, imagine a system that only allows 4 digit PIN codes. This means that there are a maximum of 10,000 possible PIN combinations.
Increasing Security against a Brute Force Attack
From the example above, PIN security could be increased by:
- Increasing the PIN’s length
- Allowing the PIN to contain characters other than numbers, such as * or #
- Imposing a 30 second delay between failed authentication attempts
- Locking the account after 5 failed authentication attempts
A brute force attack will always succeed, eventually. However, brute force attacks against systems with sufficiently long key sizes may require billions of years to complete.
Brute Force Attacks vs. Dictionary Attacks
In most cases, a dictionary attack will work more quickly than a brute force attack. A brute force attack is, however, more certain to achieve results eventually than a dictionary attack.