[{"data":1,"prerenderedAt":611},["ShallowReactive",2],{"blog-what-is-a-brute-force-attack":3},{"id":4,"title":5,"alt":6,"author":7,"body":8,"category":587,"description":588,"extension":589,"faq":590,"image":597,"meta":598,"navigation":599,"path":600,"publishedAt":601,"seo":602,"stem":603,"tags":604,"__hash__":610},"blog\u002Fen\u002Fwhat-is-a-brute-force-attack.md","What is a Brute Force Attack? (Simplified)","Diagram showing password search space growth by length vs complexity in a brute force attack","Alex Vibe, Senior Security Dev",{"type":9,"value":10,"toc":577},"minimark",[11,15,23,26,29,34,45,48,51,62,71,78,85,87,91,94,210,217,224,227,233,235,239,246,253,263,266,284,286,290,293,341,347,353,356,359,361,365,368,454,457,465,467,501,503,507,510,513,534,540,543,545,549,554,561,566,569,574],[12,13,14],"p",{},"A brute force attack is exactly what it sounds like: an attacker tries every possible password combination until one works. No cleverness, no phishing, no social engineering — just raw computation and time.",[12,16,17,18,22],{},"The scary part? Modern GPUs can try ",[19,20,21],"strong",{},"billions of combinations per second",". The reassuring part? The math is on your side — if you use it correctly. And the single most powerful thing you can do is make your password longer. Not more complex. Longer.",[12,24,25],{},"Here's why.",[27,28],"hr",{},[30,31,33],"h2",{"id":32},"how-brute-force-actually-works","How Brute Force Actually Works",[12,35,36,37,40,41,44],{},"An attacker running a brute force attack picks two things: a ",[19,38,39],{},"charset"," (which characters to include in guesses) and a ",[19,42,43],{},"maximum length"," (how many characters to try). Then they systematically generate and test every combination.",[12,46,47],{},"Tools like Hashcat or John the Ripper automate this against stolen password hashes. On a single RTX 4090, you're looking at 164 billion MD5 guesses per second. That's not a typo.",[12,49,50],{},"The math that governs the attacker's workload is simple:",[52,53,58],"pre",{"className":54,"code":56,"language":57},[55],"language-text","combinations = charset_size ^ length\n","text",[59,60,56],"code",{"__ignoreMap":61},"",[12,63,64,65,70],{},"Charset size of 26 (lowercase a–z), length 6? That's 26⁶ = ~309 million combinations. Sounds like a lot. It isn't — it's cracked in under 2 milliseconds against MD5. This is why a 6-digit code is the bare minimum for local device security. If you need a secure numeric key, use our ",[66,67,69],"a",{"href":68},"\u002Fpin-generator","PIN Generator"," to avoid predictable patterns.",[12,72,73,74,77],{},"In cryptographic terms, this search space is measured in ",[19,75,76],{},"bits of entropy"," — each additional bit doubles the work an attacker must perform. That's the same metric used across our security guides to compare passwords, passphrases, and PINs on equal footing.",[12,79,80,81,84],{},"The key insight: length is in the ",[19,82,83],{},"exponent",". Complexity (charset size) is only the base. Exponential growth destroys linear growth every time.",[27,86],{},[30,88,90],{"id":89},"the-math-length-vs-complexity","The Math: Length vs. Complexity",[12,92,93],{},"Let's make this concrete. Here's what each step of \"complexity advice\" actually buys you vs. what adding a few characters does:",[95,96,97,116],"table",{},[98,99,100],"thead",{},[101,102,103,107,110,113],"tr",{},[104,105,106],"th",{},"Password Config",[104,108,109],{},"Charset Size",[104,111,112],{},"Length",[104,114,115],{},"Total Combinations",[117,118,119,134,146,159,172,185,198],"tbody",{},[101,120,121,125,128,131],{},[122,123,124],"td",{},"lowercase only",[122,126,127],{},"26",[122,129,130],{},"6",[122,132,133],{},"~309 million",[101,135,136,138,140,143],{},[122,137,124],{},[122,139,127],{},[122,141,142],{},"8",[122,144,145],{},"~209 billion",[101,147,148,151,154,156],{},[122,149,150],{},"+ uppercase",[122,152,153],{},"52",[122,155,142],{},[122,157,158],{},"~53 trillion",[101,160,161,164,167,169],{},[122,162,163],{},"+ numbers",[122,165,166],{},"62",[122,168,142],{},[122,170,171],{},"~218 trillion",[101,173,174,177,180,182],{},[122,175,176],{},"+ symbols (full ASCII)",[122,178,179],{},"95",[122,181,142],{},[122,183,184],{},"~6.6 quadrillion",[101,186,187,190,192,195],{},[122,188,189],{},"full ASCII",[122,191,179],{},[122,193,194],{},"10",[122,196,197],{},"~59 quintillion",[101,199,200,202,204,207],{},[122,201,189],{},[122,203,179],{},[122,205,206],{},"12",[122,208,209],{},"~540 sextillion",[12,211,212,213,216],{},"Going from 8-char lowercase to 8-char full ASCII multiplies the search space by about ",[19,214,215],{},"32,000×",". That's the entire effect of \"add an uppercase, a number, and a symbol.\"",[12,218,219,220,223],{},"Going from 8 characters to 12 characters — just adding length, keeping full ASCII — multiplies the search space by about ",[19,221,222],{},"80 million×",".",[12,225,226],{},"Length wins. It's not close.",[12,228,229,230],{},"That said, charset diversity still matters. An 8-character lowercase-only password is cracked in about 1.3 seconds against MD5. An 8-character full-ASCII password takes ~11 hours. Both are inadequate for anything that matters, but the difference is real. ",[19,231,232],{},"You need both — length is just the bigger lever.",[27,234],{},[30,236,238],{"id":237},"why-pssw0rd-still-gets-cracked-instantly","Why \"P@ssw0rd!\" Still Gets Cracked Instantly",[12,240,241,242,245],{},"The math above assumes a pure brute force attack — trying every combination from ",[59,243,244],{},"aaaaaaaa"," upward. Real attackers don't start there.",[12,247,248,249,252],{},"They start with ",[19,250,251],{},"dictionary attacks",": pre-built lists of billions of known passwords from previous breaches, combined with automated substitution rules. The RockYou2024 breach dataset alone contains over 10 billion real-world passwords. Hashcat can apply leet-speak rules (e→3, a→@, s→$, o→0) across the entire list in seconds.",[12,254,255,258,259,262],{},[59,256,257],{},"P@ssw0rd!"," — the one you thought was clever — has been in every serious wordlist for years. ",[59,260,261],{},"Tr0ub4dor&3"," (the XKCD-famous example) is in there too. Any pattern a human brain finds memorable, attackers have already catalogued.",[12,264,265],{},"Dictionary attacks are orders of magnitude faster than pure brute force. Against MD5, a modern GPU can apply 100+ billion modified dictionary guesses per second.",[12,267,268,269,272,273,279,280,283],{},"The only real defense is ",[19,270,271],{},"true randomness",". Not randomness you invented in your head — randomness from a CSPRNG (cryptographically secure pseudorandom number generator). Our ",[19,274,275],{},[66,276,278],{"href":277},"\u002F","Password Generator"," — runs 100% in your browser, zero data sent to any server — uses the Web Crypto API's ",[59,281,282],{},"crypto.getRandomValues()"," directly. That's the same entropy source your OS uses for cryptographic keys. You can't do better than that by hand.",[27,285],{},[30,287,289],{"id":288},"online-vs-offline-two-very-different-threat-models","Online vs. Offline: Two Very Different Threat Models",[12,291,292],{},"Brute force attacks don't always happen the same way. There are two distinct scenarios with completely different risk profiles:",[95,294,295,311],{},[98,296,297],{},[101,298,299,302,305,308],{},[104,300,301],{},"Attack Type",[104,303,304],{},"Guesses\u002Fsec",[104,306,307],{},"Threat Level",[104,309,310],{},"Why",[117,312,313,327],{},[101,314,315,318,321,324],{},[122,316,317],{},"Online (live login form)",[122,319,320],{},"~10–100\u002Fsec",[122,322,323],{},"Low",[122,325,326],{},"Rate limiting, CAPTCHA, lockouts",[101,328,329,332,335,338],{},[122,330,331],{},"Offline (leaked hash DB)",[122,333,334],{},"164 billion\u002Fsec (MD5)",[122,336,337],{},"High",[122,339,340],{},"No restrictions, pure compute",[12,342,343,346],{},[19,344,345],{},"Online attacks"," are mostly a solved problem. Real services rate-limit login attempts, lock accounts after failures, and add CAPTCHA. At 10 guesses\u002Fsecond, even a weak password takes a very long time to crack through a login form.",[12,348,349,352],{},[19,350,351],{},"Offline attacks"," are the real threat. When a service gets breached and their password database leaks, attackers take those hashes home and run Hashcat locally. No rate limits. No lockouts. Just a GPU and time.",[12,354,355],{},"This is the scenario all the crack time benchmarks you'll see online are modeling. And it's why your password needs to hold up against billions of guesses per second — because after a breach, it will face exactly that.",[12,357,358],{},"You don't get to know which sites store passwords securely. Some use bcrypt. Some are still on MD5 from a 2009 codebase. Your defense is making your password long enough that even worst-case storage buys you enough time for the breach to become public and for you to rotate.",[27,360],{},[30,362,364],{"id":363},"what-length-should-you-actually-use","What Length Should You Actually Use?",[12,366,367],{},"The answer depends on the threat level. Here's the practical breakdown:",[95,369,370,386],{},[98,371,372],{},[101,373,374,377,380,383],{},[104,375,376],{},"Use Case",[104,378,379],{},"Minimum Length",[104,381,382],{},"Charset",[104,384,385],{},"Reasoning",[117,387,388,402,415,428,440],{},[101,389,390,393,396,399],{},[122,391,392],{},"Throwaway \u002F low-risk account",[122,394,395],{},"12 characters",[122,397,398],{},"Full ASCII",[122,400,401],{},"540 sextillion combinations — enough for bad storage",[101,403,404,407,410,412],{},[122,405,406],{},"Email \u002F social media",[122,408,409],{},"16 characters",[122,411,398],{},[122,413,414],{},"These accounts unlock password resets everywhere",[101,416,417,420,423,425],{},[122,418,419],{},"Banking \u002F financial",[122,421,422],{},"20+ characters",[122,424,398],{},[122,426,427],{},"High-value target, worth the extra entropy",[101,429,430,433,435,437],{},[122,431,432],{},"Work accounts \u002F SSO",[122,434,409],{},[122,436,398],{},[122,438,439],{},"Breach blast radius can be large",[101,441,442,445,448,451],{},[122,443,444],{},"Master password (password manager)",[122,446,447],{},"6–7 random words",[122,449,450],{},"Passphrase",[122,452,453],{},"Long, high entropy, actually memorable",[12,455,456],{},"Twelve characters is the new floor. Eight was fine in 2010. It's not fine now.",[12,458,459,460,464],{},"If you're wondering where your current passwords stand, our ",[66,461,463],{"href":462},"\u002Fpassword-strength-checker","Password Strength Checker"," does the entropy math for you — it shows estimated crack time at GPU speeds, entropy in bits, and a strength rating. It runs entirely in your browser; nothing you type is sent anywhere.",[27,466],{},[468,469,470,475,478],"blockquote",{},[12,471,472],{},[19,473,474],{},"🛡️ Brute Force Defense Checklist — Complete This Step",[12,476,477],{},"Don't guess whether your password holds up — know for certain.",[479,480,481,489,495],"ul",{},[482,483,484,485,488],"li",{},"→ ",[66,486,487],{"href":462},"Check your password's entropy against offline GPU benchmarks"," — real crack-time estimates, 100% client-side",[482,490,484,491,494],{},[66,492,493],{"href":277},"Generate a 16+ character password using Web Crypto API randomness"," — the same entropy source your OS uses for cryptographic keys",[482,496,484,497,500],{},[66,498,499],{"href":68},"Create a secure numeric PIN for device access"," — cryptographically random, not your birthday or a sequence",[27,502],{},[30,504,506],{"id":505},"the-practical-takeaway","The Practical Takeaway",[12,508,509],{},"A brute force attack is a solved problem for long, random passwords. The math is merciless in your favor once you cross the right length threshold.",[12,511,512],{},"The three rules the data supports:",[514,515,516,522,528],"ol",{},[482,517,518,521],{},[19,519,520],{},"Use 12+ characters, minimum."," 16 is better. For high-value accounts, 20+.",[482,523,524,527],{},[19,525,526],{},"Use full charset diversity."," Lowercase + uppercase + numbers + symbols. The multiplier is real, even if it's smaller than length.",[482,529,530,533],{},[19,531,532],{},"Use true randomness, not patterns."," Dictionary attacks make human-invented \"complexity\" worthless. A CSPRNG-generated password eliminates this attack vector entirely.",[12,535,536,537,539],{},"The fastest path there: use our ",[66,538,278],{"href":277},". Set the length to 16+, enable all character types, and you're generating passwords that a brute force attack would need millions of years to crack — even assuming a future GPU 1,000× faster than today's hardware.",[12,541,542],{},"The attacker's compute budget is finite. Your password's search space, properly constructed, is not.",[27,544],{},[30,546,548],{"id":547},"frequently-asked-questions","Frequently Asked Questions",[12,550,551],{},[19,552,553],{},"What is the formula for brute force combinations?",[12,555,556,557,560],{},"The number of possible combinations is ",[59,558,559],{},"charset_size ^ length",". An 8-character lowercase password has 26⁸ ≈ 209 billion combinations. In cryptographic terms this is expressed as bits of entropy: log₂(combinations). Each additional bit doubles the attacker's required work — which is why length, sitting in the exponent, dominates everything else.",[12,562,563],{},[19,564,565],{},"Why is password length more important than complexity?",[12,567,568],{},"Complexity (charset size) is the base; length is the exponent. Going from 8-char full-ASCII to 12-char full-ASCII multiplies the search space by ~80 million. Going from lowercase-only to full-ASCII at the same length multiplies it by ~32,000. Exponents beat multipliers every time. Use both, but prioritize length.",[12,570,571],{},[19,572,573],{},"How fast can a GPU crack a password in 2026?",[12,575,576],{},"A single RTX 4090 hits ~164 billion MD5 guesses per second. Against bcrypt (cost 10) the same card manages ~184,000 guesses per second — a 1,000,000× difference. You don't control which algorithm the site uses. Your only lever is making the search space large enough that even worst-case storage (MD5) takes longer than the breach becomes public knowledge.",{"title":61,"searchDepth":578,"depth":578,"links":579},2,[580,581,582,583,584,585,586],{"id":32,"depth":578,"text":33},{"id":89,"depth":578,"text":90},{"id":237,"depth":578,"text":238},{"id":288,"depth":578,"text":289},{"id":363,"depth":578,"text":364},{"id":505,"depth":578,"text":506},{"id":547,"depth":578,"text":548},"Security","A brute force attack tries every possible password until one works. Here's the math that explains why length protects you more than complexity. Try our free generator.","md",[591,593,595],{"question":553,"answer":592},"The number of possible combinations is calculated as charset_size ^ length. For example, an 8-character lowercase password has 26^8 (209 billion) combinations. Adding length increases the exponent, which is why length matters far more than complexity.",{"question":565,"answer":594},"Password strength grows exponentially with length but only linearly with complexity. Adding 4 characters to a password increases the search space millions of times more than adding special characters to a short password.",{"question":573,"answer":596},"A single modern GPU like the RTX 4090 can attempt approximately 164 billion MD5 guesses per second, making short or simple passwords instantly vulnerable to offline attacks on leaked hash databases.","\u002Fimages\u002Fblog\u002Fwhat-is-a-brute-force-attack.webp",{},true,"\u002Fen\u002Fwhat-is-a-brute-force-attack","2026-04-25",{"title":5,"description":588},"en\u002Fwhat-is-a-brute-force-attack",[605,606,607,608,609],"brute force attack","password length vs complexity","password security","brute force password","2026","QVHF3MsNALO9D05dgaKMaYlPemed4H4gMzSvNjK2_Ok",1778313695461]