Brute Force Attack
A brute force attack is a trial-and-error method where an attacker systematically attempts many passwords, passphrases, or encryption keys to gain unauthorized access to an account or system.
Understanding Brute Force Attack
Brute force attacks exploit the mathematical inevitability that trying enough combinations will eventually find the correct one. Simple brute force tries every possible combination. Dictionary attacks use lists of common passwords and leaked credentials. Credential stuffing uses username/password pairs from previous data breaches, exploiting the fact that users frequently reuse passwords across services.
Modern brute force attacks are highly optimized. Tools like Hydra, Medusa, and Burp Suite Intruder can attempt thousands of passwords per second. Attackers use leaked password databases containing billions of real credentials, making dictionary attacks extremely effective. Rainbow tables precompute hashes for common passwords, defeating unsalted hash storage. GPU-accelerated cracking can test billions of hash combinations per second against stolen databases.
The effectiveness of brute force depends on the target's defenses. An unprotected login endpoint allows unlimited attempts. Adding rate limiting forces attackers to slow down. Account lockout after failed attempts blocks individual account targeting but can be used for denial-of-service (locking out legitimate users). CAPTCHA adds a human-verification step. Multi-factor authentication makes stolen passwords insufficient on their own.
The most robust defense combines multiple layers: strong password requirements that resist dictionary attacks, bcrypt or Argon2 hashing that makes offline cracking slow, rate limiting that restricts online attempts, account lockout with progressive delays (not permanent lockout), MFA as a second factor, and monitoring for unusual authentication patterns.
Why This Matters for Vibe-Coded Apps
Vibe-coded applications that implement custom authentication are especially vulnerable to brute force because AI generators rarely add rate limiting or account lockout to login endpoints. The AI builds a working login form but does not consider that an attacker might submit it thousands of times per second. Even when using Supabase or Firebase Auth (which have built-in brute force protections), custom API endpoints that verify passwords lack these safeguards.
If your vibe-coded app uses a managed auth provider like Supabase Auth, Firebase Auth, or Auth0, brute force protection is handled for you. If you have custom authentication endpoints, adding rate limiting is critical. At minimum, limit login attempts to 5-10 per minute per IP address and per target account.
Real-World Examples
iCloud Celebrity Photo Leak (2014)
Attackers used brute force attacks against Apple's iCloud Find My iPhone API, which lacked rate limiting, to guess celebrities' passwords. The compromised accounts were used to steal private photos in what became known as "The Fappening." Apple subsequently added rate limiting and two-factor authentication.
WordPress XML-RPC Amplification
Attackers exploited WordPress's XML-RPC system.multicall method to try hundreds of passwords in a single HTTP request, effectively bypassing per-request rate limiting. This amplification technique turned a 500-attempt rate limit into a 500-request-times-hundreds-of-attempts-per-request limit.
Credential Stuffing on Zoom (2020)
Over 500,000 Zoom account credentials appeared for sale on the dark web, obtained through credential stuffing — using leaked passwords from other services. The attack was successful because many users reused passwords and Zoom did not have robust brute force detection at the time.
Frequently Asked Questions
How long does a brute force attack take?
It depends entirely on the password complexity and the attacker's resources. A 4-character numeric PIN can be cracked in seconds. An 8-character lowercase password has about 200 billion combinations — achievable in hours with modern hardware. A 12-character password mixing cases, numbers, and symbols has over 400 trillion trillion combinations, making brute force impractical. However, if the password is a common word or phrase, a dictionary attack can find it regardless of length.
Is account lockout a good defense?
Account lockout prevents brute force but creates a denial-of-service risk — attackers can intentionally lock out legitimate users. Better approaches include progressive delays (increasing wait time after each failed attempt), temporary lockout with automatic unlock (e.g., 30-minute lockout after 10 failures), and CAPTCHA challenges after several failures. Combine these with rate limiting for comprehensive protection.
Does MFA fully prevent brute force?
MFA makes brute force dramatically harder because even if the password is guessed, the attacker still needs the second factor. However, MFA is not bulletproof — SIM swapping can intercept SMS codes, phishing can capture TOTP codes in real time, and push notification fatigue can trick users into approving fraudulent requests. Hardware security keys (FIDO2/WebAuthn) provide the strongest brute force resistance.
What is the difference between brute force and credential stuffing?
Brute force tries many passwords against one account. Credential stuffing tries known username/password pairs from leaked databases against many accounts. Credential stuffing is more efficient because it uses real passwords that users chose, exploiting password reuse. Defending against credential stuffing requires checking passwords against known breach databases (like Have I Been Pwned) and encouraging unique passwords through password managers.
Is Your App Protected?
VAS automatically scans for vulnerabilities related to brute force attack and provides detailed remediation guidance. Our scanner targets issues common in AI-generated applications.
Scans from $5, results in minutes. Get actionable fixes tailored to your stack.
Get Starter Scan