Brute Force Attack
Also Known As
password guessing
credential brute force
TL;DR
Systematically trying every possible password or key until the correct one is found.
Explanation
A brute force attack tries all possible combinations of characters until the correct password, token, or encryption key is found. Against a fast hash like MD5, an attacker can test billions of guesses per second on commodity hardware. Defences include: slow hashing algorithms (bcrypt, Argon2), account lockout or progressive delays after failed attempts, CAPTCHA for login forms, and multi-factor authentication. Rate limiting at the application and infrastructure level adds another layer.
Diagram
flowchart TD
ATK[Attacker tries passwords] --> RATE{Rate limit check}
RATE -->|under limit| TRY[Attempt login]
RATE -->|over limit| LOCK[429 Too Many Requests<br/>Retry-After header]
TRY -->|failed| COUNT[Increment failure counter]
COUNT --> THRESH{Threshold reached?}
THRESH -->|yes| LOCKOUT[Account lockout<br/>5 min exponential backoff]
THRESH -->|no| RATE
subgraph Defences
BCRYPT2[bcrypt Argon2 - slow hashing<br/>1000 attempts/s not billions]
NOTIFY2[Email user on lockout]
GEO[Block unusual geography]
end
style LOCK fill:#f85149,color:#fff
style LOCKOUT fill:#f85149,color:#fff
style BCRYPT2 fill:#238636,color:#fff
Common Misconception
✗ Locking an account after 5 attempts fully prevents brute force. Lockout causes denial-of-service against legitimate users and is bypassed by low-and-slow attacks spread across many IPs.
Why It Matters
Without rate limiting or lockout, an attacker can submit millions of password guesses against a login endpoint — a leaked hash database makes offline brute force even faster.
Common Mistakes
- No rate limiting or account lockout on login, password reset, or OTP endpoints.
- Lockout based on username only — attackers distribute attempts across many accounts to avoid per-account limits.
- Using weak password hashing (MD5, SHA1) that makes offline cracking trivial after a database breach.
- CAPTCHA as the only defence — solvable by third-party services; rate limiting is also needed.
Code Examples
✗ Vulnerable
// No rate limiting — unlimited password guesses:
if ($_POST['password'] === $user['password_hash']) {
// login success
}
✓ Fixed
// Rate limit login attempts per IP and per account
class LoginController {
public function login(Request $req): Response {
$key = 'login_attempts:' . $req->ip() . ':' . $req->input('email');
if ($this->cache->get($key, 0) >= 5) {
return response()->json(['error' => 'Too many attempts'], 429);
}
if (!$this->auth->attempt($req->only('email', 'password'))) {
$this->cache->increment($key);
$this->cache->expire($key, 900); // 15-minute window
return response()->json(['error' => 'Invalid credentials'], 401);
}
$this->cache->delete($key);
return response()->json(['token' => $this->auth->token()]);
}
}References
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
36
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
Perplexity 10
Amazonbot 8
Ahrefs 3
SEMrush 3
Unknown AI 2
Google 1
Qwen 1
Also referenced
How they use it
crawler 27
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Medium
⚡ Quick Fix
Add rate limiting + account lockout after N failed attempts + CAPTCHA on login; use bcrypt/Argon2 to make each guess expensive
📦 Applies To
PHP 5.0+
web
api
🔗 Prerequisites
🔍 Detection Hints
Login handler with no failed-attempt counter or lockout mechanism
Auto-detectable:
✗ No
semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
Tests: Update
CWE-307
CWE-308