In the most general sense, a brute force attack is computer-assisted guessing. It aims to find out some secret combination of characters, like an encryption key or an account password by trying every possible combination, one by one.
Computers trivialized a lot of such code-breaking problems, but modern cryptography is way ahead of them on that front. Naturally, not every piece of digitally shared information is going to be leveraging ciphers.
E.g., if a hacker was targeting a specific account associated with a known email address, they’d need basic arithmetic to define the problem before taking a crack at it. After defining a password as a sequence of characters within a given length range, they’re left with a permutational problem. And hopefully a computational one, as well, assuming the app or website they’re targeting was coded by someone capable.
CAPTCHAs and timeouts between failed login attempts are examples of some rather effective methods for curbing brute force attack attempts. Because brute-forcing is such a basic concept, the simplicity of these mechanisms works to their advantage; just a few lines of code requiring a 60-second timeout after every failed login attempt following the first five consecutive ones could be the difference between a brute-forcing attempt succeeding within hours or being practically impossible. Because, depending on a specific setup, a modern computer can guess tens of millions of passwords in a second. Two-factor authentication is still the safest way to protect yourself in this regard, so use it whenever possible and at all convenient.
Then there’s the subject of entropy, which is basically the field of predictability. By varying between small caps and capital letters, numbers, and even special characters, we can use the power of math to compel would-be hackers into defaulting on their electricity bills millions of times over before having any hope of successfully guessing our password through a brute-force attack.
Classification of brute force attacks
If you insist on categorizing brute force attacks using something more specific than just a single “primitive” label (which is where they really rank in the world of potential cybersecurity issues), we can additionally divide them into three stages of primitiveness. Note that the theoretically simplest form of such algorithms that would go over every single character in every possible combination, especially with varying character lengths, is unlikely to exist as it would be unable to do any damage in the real world.
Instead, the most primitive of the primitive would be the so-called dictionary attacks. The name is pretty self-explanatory and belongs to the simplest form of brute-forcing techniques that can sometimes work, assuming the account owner was careless and unlucky enough.
If the carelessness and misfortune are on the system end, you have credential stuffing, or credential recycling attacks. These are actually follow-ups on original attacks that procured a database of usernames and passwords from another database. But people’s carelessness and tendency to gravitate toward the route of least resistance is what makes them quite an effective method for identity theft and the like. That’s why credential recycling tools are the number one reason why you’re constantly being told not to reuse passwords across services.
The third and final evolution of this attack vector is the reverse brute-force attack. This one can be an extension of either one of the above, though it’s usually seen as more similar to a dictionary attack. Because it uses the same social engineering principles, except that it doesn’t bother with an entire lexicon’s worth of combinations but instead takes a single password and tries it against a bunch of accounts on a given system. Cybersecurity practices evolved to combat this in multiple ways, most recognizably by requiring everyone to use at least one uppercase (or lowercase) character, as well as a special character and a number in their passwords.