What the Hack Is a Brute Force Attack?

Reading the phrase “brute-force attack” summons a violent image, reminiscent of a purse being snatched out of a sweet old woman’s hands or an ice cream cone knocked onto a child. In reality, brute-force attacks are more like when you spend five minutes jamming the wrong key into your front door, hoping it might finally work. How complicated could keys be anyway? If you turn it hard enough, won’t it just go? Who invented doors in the first place?

The core strategy of a brute-force attack is trial-and-error—multiple login attempts at both usernames and passwords in order to get into an account. It’s charming to imagine a brute-force attack as a bespectacled person behind a computer, chewing on the eraser-end of a pencil as they try all possible passwords you might use. But in modern times, like Target self-check-outs and E-ZPass-run highway toll booths, brute-force attacks have been relegated to the machines. Using special software, a hacker can attempt an infinite number of username and password combinations quicker than you can say: “In the Fast & Furious franchise, Ludacris is the tech guy.”

The hope with one of these attacks is not only to get into the account that’s being meddled with, but that the username and/or password for that account will overlap for other user accounts. Which in many cases, it will! Yikes!

brute force at·tack

noun /broot fôrs əˈtak/

a cyber attack in which a hacker attempts many combinations of usernames and passwords in an attempt to gain entry to a site or server


Even if you are a regular person who uses the internet for regular things, like streaming television and gossiping about your friends via email, you want to protect your accounts. You don’t want hackers stealing your credit card information to buy a bunch of succulents they will kill or subscribe you to newsletters you’ll never read.

Fortunately, there are a bunch of ways you can protect yourself from brute-force attacks. Some of them are security no-brainers, like enabling two-factor authentication (which would be like having multiple types of locks on your door) or limiting the number of login attempts on an account (because knocking more than three times is just rude.)

One of the most trusted ways to protect yourself from brute-force attacks is the generation of an…EXTREMELY LONG PASSWORD. It’s simple math, if math were simple. Most passwords range from six to 22 characters; it would take a software program a way longer time to come up with a list of possible passwords that go up to 22 characters in length than six. It’s not a foolproof method—the machines are getting smarter every day, and one day all of our bosses will be iPads—but it’s one solid way to slow down the technology that intends to disrupt your life.

The perks of having an extremely long password extend far beyond cybersecurity. For instance, have you ever watched a friend or peer log in to an account with a very long password? And every time you think they’re done, yet another tiny black dot appears on the screen? And you think to yourself, “How do they remember that many letters, numbers, and symbols in that specific combination?” It’s impressive! Admit it: You’re impressed. It’s probably in your best interest to not log in to your accounts in plain sight of your friends and loved ones (anyone can be a hacker—even your mom, like, when was the last time you asked her if she was a hacker?), but a long password will make it significantly more difficult for anyone to get into your accounts.

Using special software, a hacker can attempt an infinite number of username and password combinations quicker than you can say: “In the Fast & Furious franchise, Ludacris is the tech guy.”


The tricky thing, of course, can be the creation of such a long password. The reason passwords are often compromised is because they’re short and easy to remember, therefore easy to guess. Even “longpassword” is still ten characters too short. And “Longpassword?” makes it seem as though you doubt this expert advice. Here are a few 22-character options (hackers, please stop reading after this point):

  • lengthysafepassword123
  • practicelongpasswords!
  • eVeRyOtHeRlEtTeRbIgSmAlL (this one is 24 characters—which is the height of safety)

But even if your password is long, it still ought to adhere to other password regulations. Including numbers, a variety of upper- and lowercase letters, and characters will only further confuse those trying to brute force their way in. (Regarding my above suggestions, leaving “password” out of your password is key as well.) If length is the key, go for something you can remember: the opening line of your favorite song, the opening line of a poem, or the word that got you eliminated from the spelling bee in middle school. But please, spell it wrong again this time too, just to trip up a would-be cybervillain—the best passwords aren’t actual words at all. You’ll want something that someone couldn’t easily look up in a dictionary.

Another great way to get yourself an unguessable password would be to have a good machine create it for you. (Take that, bad machines!) A good password manager can randomize a very long and very secure password (as well as save it for you.)

Though these preventative measures seem largely obvious, that’s okay! There ought to be security measures that feel like easy no-brainers, and if a long-winded password can inspire those who watch you log in to do the same to their accounts, it’ll only build a safer and more secure online life for all of us.

Looking for more info?

Visit our online safety hub for the latest breach report and a complete guide to staying secure on the internet.

    Fran Hoepfner

    Fran Hoepfner is a writer from Chicago. She previously worked for The Onion, and her non-fiction writing has appeared in The Awl, Brooklyn Magazine, Cosmopolitan, GQ, and The New York Times.

    Read More