What Is a Brute-Force Attack and How to Stop One

What a brute-force attack is and how to stop one

A brute-force attack is one of the oldest tricks in hacking, and it is exactly why every security guide nags you to make passwords longer. Understanding how it works makes the advice click — and shows why a short, “clever” password fails while a long random one holds. Our GetMyPassword team explains what a brute-force attack is, how fast it really is, and how to make your accounts effectively immune.

Defend against brute-force
How password length defeats a brute-force attack.

What a brute-force attack is

A brute-force attack simply tries every possible combination until one works. Software runs through passwords automatically — billions of guesses per second on modern hardware. A related version, the dictionary attack, tries common words and known leaked passwords first, which is why “password1” or your pet’s name falls in an instant.

Why length beats cleverness

Each extra character multiplies the guesses needed. A short password — even with symbols — can fall in minutes, while a long random one pushes the time into centuries. This is the key insight: length and randomness, not a tricky substitution like a zero for an O, are what actually stop a brute-force attack.

  • 8 characters: can fall quickly on modern hardware.
  • 12 characters, random: dramatically harder — years to centuries.
  • 16+ characters, random: effectively uncrackable by brute force.

How sites fight back

Good services slow attackers with rate limiting (blocking after a few wrong tries), account lockouts, and two-factor authentication, which stops a guessed password from being enough. But you cannot rely on every site doing this — your password’s length is the defence fully in your control.

You do not have to outrun the attacker forever — just make the maths hopeless. A 16-character random password would take longer to brute-force than the age of the universe, so attackers simply move on.

Make your passwords brute-force-proof

The practical defence is simple: long, random and unique. Create 16-character-plus passwords with our password generator so there is no pattern to exploit, and turn on two-factor authentication. If you just need random characters for a code or token, the random letter generator gives you unpredictable sequences too.

Frequently asked questions

How long does it take to brute-force a password?

It depends almost entirely on length and randomness. A short password can fall in minutes, while a 16-character random one would take far longer than a human lifetime, making the attack pointless.

Does adding symbols stop a brute-force attack?

Symbols help, but length matters far more. A long random password without symbols beats a short one full of them. Combine both — long and varied — for the strongest result.

Can two-factor authentication stop brute-force attacks?

Yes. Even if an attacker guesses your password, 2FA requires a second code they do not have. It is a powerful backstop, but a long, unique password should still be your first line of defence.

Help your friends stay safe. Share this article!