What is a Brute Force Attack and What to Do About It

Brute Force hacking is on the increase, the reason there is a climb in the number of cases is the hardware is becoming more powerful, and the number of data breaches also increases.

Hackers can go through vast numbers of password combinations in a short amount of time. The problem is for users because they won’t know it is happening until it is too late.

In many cases, this can be on such things as WordPress hosting where passwords don’t change too often, and there are masses of accounts.

Brute Force hacking

There are ways to help avoid these, and we will look at these so you can learn what to do, but first, we will look at the brute force definition and why they are so harmful.

Definition of Brute Force Attacking

Brute force attacks are one of the simplest methods of hacking. However, this does not mean that they cannot have a destructive effect on users. Brute force attacks are not a subtle attack method.

Brute force attacks work by guessing account passwords quickly. Manual password guessing can take a lifetime, but with automated tools, hackers can gain access to countless accounts in minutes these accounts are not secure.

There is lots of trial and error to do this, yet with a dictionary of possible passwords, it is merely a matter of the software reading and entering these combinations.

With a dictionary attack, a hacker doesn’t have to be at their computer. They are notified once there is a match against usernames and passwords.

Types of Brute Force Attacks

It could be easier to halt this attack method if there was just one. Unfortunately, there are many brute force password attack variations. Once in use, any of these force attacks work by determining much more than a username and password.

Here are variations of these attacks, which of the following attacks if successful will be catastrophic.

  • Regular Brute Force Attack – uses a basic systematic approach. There is also a reverse brute force attack that uses passwords against multiple usernames.
  • Hybrid Brute Force – uses a starting point of external logic. Doing this delivers a better chance of password combinations that can lead to successful login attempts
  • Dictionary Attacks – Uses the brute force password checks
  • Credential stuffing – Credential stuffing uses previously found password & username combinations then tries them across popular sites or web application for a match.

Known Hack Tools for Brute Force

  • Aircrack-ng: runs on Windows, Linux, iOS, and Android. Accesses a dictionary of passwords to hack wireless networks
  • DaveGrohl: an open-source tool for cracking Mac OS
  • Hashcat: runs on Windows, Linux, and Mac OS, and performs pure brute force, rule-based, and hybrid attacks
  • John the Ripper: runs on 15 platforms, including UNIX, Windows, and OpenVMS. Accesses a dictionary of all possible passwords.
  • L0phtCrack: used to crack Windows passwords using dictionaries, rainbow tables, and multiprocessor algorithms
  • Ncrack: a cracking tool for bypassing network authentication, and runs on Windows, Linux, and others

Security analysts to help prevent brute force attacks use THC-Hydra for identifying vulnerabilities in client devices. Using this, they can run through massive password lists of letters, numbers, and other combinations.

They do this to see if they can create a data breach and plug it quickly to increase data security on those networks.

How to Prevent Brute Force Attacks

There are several ways to enhance your website security access to make it harder for hackers to break into user accounts.

Passwords: This is the key, and strong passwords can make it hard for these hacker’s bots to crack passwords. A password should be unique, as longs as you can make it (20 characters can take forever to break).

Authentication URLs: If you are worried about WordPress security, you can change the login page URL. Something such as /wp-login.php changed to /newsite-login can help stop most automated hacking methods

Two-Factor Authentication: Two-Factor Authentication (2FA) is a secondary layer of security. Many websites offer the option to turn this on where you will need to enter a code. This can be a generated code, one sent to an email address, or others.

Failed Attempts: Websites can set account lockouts after failed login attempts. We all face this when we forget a password, so it is effective.

Progressive delays: Using this method, accounts are locked for specific periods; on each attempt, these progressive delays become longer.

Using VPN to Prevent Brute Force Attacks

Stop Brute Force Attacks Using a VPN

Even with the above best practices, you may find you are still a victim. However, you can add an even better layer of protection using some proven cloud security.

VPN’s make these attacks harder as they hide the location of your device as well as encrypt all your connections. Because of this, it makes it almost impossible for any brute force attempt to access any part of your data.

Here are three recommendations in order of preference for VPNs that offer excellent security.

1. ExpressVPN

ExpressVPN uses military-grade encryption. This prevents anyone from accessing data. Besides, they
are located outside any governing jurisdiction, so not even governments can request user information.

With zero logs, nothing is retained, and all servers run using the Trusted Server methodology. These run in RAM instead of writing data to disks.

2. NordVPN

Seen as one of the most secure VPN’s on the market. It delivers the same high levels of security and encryption. It also bases itself outside any jurisdiction, so the same applies, and no government can request user information.

It also offers no log retention, and to add to secure browsing, users can use a double-hop feature, although this slows connections because of extra data transmissions.

3. Surfshark

The newest VPN out of the three, this youngster does a great job of keeping user information private and secure. Like the two previous, it uses the best encryption methods and security protocols.

It locates itself not far from ExpressVPN, so jurisdiction wise, it is in the safest locale. With the addition of malware and ad-blocker, it does that bit extra out of the box, even if you can use browser extensions to achieve the same thing.


All of these VPNs offer 30-day money-back guarantees. You can test them all for the duration to see how secure they are.

One thing to note is that by the time you end your 30-days, you will see the most private VPN is ExpressVPN. It delivers heaps more benefits and performance for any online activity you may wish to take part in.

What is a Brute Force Attack and What to Do About It