Brute Force Attacks And How to Block Them

In this article we learn about Brute Force Attacks and how to prevent them.


As we know hackers are always attemting to access our password and userid or user name. In the present time of world hackers are very active hacking our password or username. Sometimes they use a Brute Force attack for hacking our information. Using a Brute Force attack a hacker makes very many attempts to get the user name and password until they are successful. Sometimes users use a simple password like 123456 or 098765 and the user name like admin or user. That type of password and username can be hacked easily. In a normal Brute Force attack hackers use a dictionary in which all the normal (commonly used) words and simple passwords are attempted for the user id and password to access the user account. On the other hand in a typical Brute Force attack hackers try every key combination to access the account. If the user uses a long password consisting of all possible characters like numbers, characters and special symbols then it is not easy to determine the password easily because for that a Brute Force algorithm takes a long time.

Brute Force Attack

A Brute Force attack is a method or an algorithm to determine a password or user name using an automatic process that the Brute Force attack can take depending on your password length and its complexity. If you have a long and complex password then maybe a Brute Force attack cannot access your password easily. A Brute Force attack works very qickly for short passwords but if the password has a long length then it is not easy to guess the password. The main problem that occurrs with a Brute Force attack is server memory problems because the hackers attempt many times to access your account through which many HTTP requests are generated at your server so the result of this is your server goes slow and there is unnecessary traffic at our site. Sometimes the server runs out of memory. The algorithm used in a Brute Force method is a MD5 and SHA algorithm. If our website has a user authentication process then the chances of Brute Force attack are increased at our site.

Hackers use many tools for Brute Force attacks. Using those tools there is an algorithm to guess the password automaticly or create the combination depending on the given length. Sometimes we make the proxy request process but it is not very successful because we understand that every HTTP request comes from a unique IP address so it is not a good idea to block an IP address to stop a Brute Force attack. Since we know hackers are very clever, sometimes they use those types of tools that always try a different user name and different password so by blocking the IP address we cannot stop the Brute Force Attack.

How Brute Force Attacks Work

A Brute Force Attack simply uses the cryptography algorithm. As we know hackers know that the password and user name are stored in a database. So when we attempt to login and our page request is sent from the server to the client machine hackers are more active to access the account. Hackers know that there is an encrypted key by which they can decrypt the code. So they attempt all possible combinations to unlock it. There is a computer program that runs automatically to get the password. The attackers use a high-performance computer that is very fast, in other words the computer is capable of performing a long calculation in seconds. The Brute Force attack works with a single digit, number, character and special symbol and goes high and makes the combinations and attempts to access the account until a combination does match successfully.

Role of key combination and length in the password

As I said previously, if you use a long password that has a good combination of characters, numbers and special symbols then that password is not easy to crack because it takes more time, maybe years. For example banks and other important units always notify you to change your password within a given time duration because they always suggest you make a password that has a good combination of characters, numbers and special symbols so they have an idea that this password cannot be hacked by the attackers in a given amount of time and before the time period they always inform you to change your password.

When we create the password we use the following combinations.

  • Numbers (0 to 9) that are 10.
  • Characters (A-Z or a-z); 26 upper-case letters and 26 lower-case letters, so that is a total 52.
  • Special Symbols(!, @, ., #, $, %, ^, &,* and more) that are about 32 in count.

The formula that is used to count the number of combinations to attempt is the following:

Total Combinations = Possible characterpassword length

Algorithm Brute Force attack

  1. using System;    
  2. using System.Collections.Generic;    
  3. using System.Linq;    
  4. using System.Text;    
  5. using System.Threading.Tasks;    
  6. using System.IO;    
  8. namespace bruteforcealgo    
  9. {    
  10.     class passwordwriter    
  11.     {    
  12.         public static string length = Console.ReadLine();    
  13.         public static int value = Convert.ToInt32(length);    
  14.         public char firstchar = 'a';    
  15.         public char lasrchar = 'z';    
  16.         public int strlength = value;    
  17.         static void Main(string[] args)    
  18.         {    
  19.             var passwrite = new passwordwriter();    
  20.             passwrite.writepasswords(" ");    
  21.             Console.ReadLine();    
  22.         }    
  23.         private void writepasswords(string keys)    
  24.         {    
  25.             string file=AppDomain.CurrentDomain.BaseDirectory+"created password.text";    
  26.             File.AppendAllText(file, Environment.NewLine + keys);    
  27.             Console.WriteLine(keys);    
  28.             if (keys.Length == strlength)    
  29.             {    
  30.                 return;    
  31.             }    
  32.             for(char c=firstchar; c<=lasrchar;c++)    
  33.             {    
  34.                 writepasswords(keys + c);    
  35.             }    
  37.         }    
  38.     }    

Blocking of Brut force Attack

One thing is clear; a Brute Force attack is very harmful for the end users. This attack consumes memory, time and resources but if we imlement some safety tips then it is not so easy for hackers to make a Brute Force attack of the user's site. Like always make a complicated and long password. Always provide a limit of login attempts for the users. If a user exceeds his/her attempts then block it temporarily. For example sometimes in a Gmail account when you enter the wrong password many times then Gmail sends you a CAPTCHA code and says, please fill in the given text box. Gmail does this because Gmail does not know whether the password is being submitted automatically or submitted by the user.

There is no fully secure way to block it entirely. So here I will discuss some methods for preventing a Brute Force Attack.

Use the hashing algorithm, because the hashing algorithm has some additional mathematical method that they do on your password. After performing the mathematical function the result of the Hash algorithm of your password is stored. Always store your encrypted file safely in your computer or server. If attackers get this file just once then they can attempt a Brute Force attack of your system. If you use a site in which a login process is required then please make it CAPTCHA code enabled. For encryption of your password and other information always use a strong encryption algorithm like SHA-512.

Locking Account

A very famous and popular trick to prevent a Brute Force Attack is to lock the account. Locking the account means that if a user attempts a wrong password many times then the user's account will be blocked for a given time of period. The locking of the account might be for 2 hours, one day or more. The account will be opened again by the administrator. But there is the problem with account lock; sometimes the user really has forgotten his/her password. If we the lock his account then it will be problematic, so sometimes we ask them for a security answer or recovery email id. There are some drawbacks of account locking. 
  • If an attacker attempts a Brute Force Attack on many accounts then a Denial of Services (DOS) problem emerges.
  • If a attackers want to lock an account then he continues to hit that account and the resultant admin is again locked from the account.
  • If you have already locked an account but attackers hit that account again and again then there a problem emerges related to the resources.
  • If attackers attack the administrator account and the admin account is locked then a problem emerges.
  • Account lockout is not effective sometimes because sometimes attackers use only one password to list many usernames.
  • If any attacker is very clever and he makes the combination of user name and password and attacks an account and it will got with given attempted, then locking is not a good approach.
On the basis of the preceding points we can say sometimes locking an account is beneficial, like if there is a big problem like a denial of services then lock the account. For example we have an auction site, so of course there are many users available at a single time for the bidding. So if there is a blocking account available then a user can easily block another user's account.


If a attacker hits your account automatically using auto-generated combinations, then a CAPTCHA code is very useful to prevent this. A CAPTCHA code is a technique by which we recognize a computer or a human. Using a CAPTCHA code we make some questions or images or numbers, the answer of which is not submitted by the computer automatically so for this we need a human for roviding the right answer in the CAPTCHAs text box, if there is an incorrect answer provided then the CAPTCHA code is again sendt with a new code.

Make a Strong Password

Always make a strong password. There are always some restrictions for the passwords, like the password have a minimum length of 10 characters, there should be upper-case and lower-case and use one or two special characters in your password, must have a numeric value and so on.

Make a Proper User Name

Always make a proper user name for the login. We know that the login name is half of the security and the password is the other half of the security to make an account secure. So never use a general user name like admin, administrator, user and so on because in the Brute Force dictionary these types of user names exist so it is easy to make the combinations with these types of user name so always make a commercial user name that is not easy to guess for the attackers.

One option is to lock that IP address from which you have many login-failed attempts. But here the problem is also that if you do this then there is the problem related to the majoruty of users because sometimes a large group of users use the same proxy servers. Mostly the site does not block a single attempt failure so an attacker has the opportunity to make two or three attempts for a single proxy.

You can also provide an individual IP address for those users that has very confidential information to prevent the Brute Force attack. If some user's account are blocked then provide them a separate URL through which they access the site and normal users access the site from the normal URL. Instead block an account fully in a lockdown mode and provide some limitation compared with a normal account. Another technique is if there are many failures to the login then always delay the page response. For example if a Brute Force algorithm makes 5 attempts per second but your page response does not provide a response properly then that makes a problem for the Brute Force attacks because it does not get the response at the desired period of time.


In the preceding discussion we can say that if we did not make proper security for our accounts than attackers can easily attack our account. So preventing it the most important thing is to make your user name proper and have a strong password. Change your password often to prevent a Brute Force attack. So this is all about the discussion of Brute Force attacks. I hope this article helps give you knowledge of Brute Force attacks and understand how to prevent them.