{ "slug": "brute_force", "term": "Brute Force Attack", "category": "security", "difficulty": "beginner", "short": "Systematically trying every possible password or key until the correct one is found.", "long": "A brute force attack tries all possible combinations of characters until the correct password, token, or encryption key is found. Against a fast hash like MD5, an attacker can test billions of guesses per second on commodity hardware. Defences include: slow hashing algorithms (bcrypt, Argon2), account lockout or progressive delays after failed attempts, CAPTCHA for login forms, and multi-factor authentication. Rate limiting at the application and infrastructure level adds another layer.", "aliases": [ "password guessing", "credential brute force" ], "tags": [ "authentication", "rate-limiting", "owasp-top10" ], "misconception": "Locking an account after 5 attempts fully prevents brute force. Lockout causes denial-of-service against legitimate users and is bypassed by low-and-slow attacks spread across many IPs.", "why_it_matters": "Without rate limiting or lockout, an attacker can submit millions of password guesses against a login endpoint — a leaked hash database makes offline brute force even faster.", "common_mistakes": [ "No rate limiting or account lockout on login, password reset, or OTP endpoints.", "Lockout based on username only — attackers distribute attempts across many accounts to avoid per-account limits.", "Using weak password hashing (MD5, SHA1) that makes offline cracking trivial after a database breach.", "CAPTCHA as the only defence — solvable by third-party services; rate limiting is also needed." ], "when_to_use": [], "avoid_when": [], "related": [ "bcrypt", "argon2", "predictable_token", "rainbow_table", "weak_cryptography" ], "prerequisites": [ "rate_limiting", "bcrypt", "two_factor_auth" ], "refs": [ "https://owasp.org/www-community/attacks/Brute_force_attack", "https://cwe.mitre.org/data/definitions/307.html" ], "bad_code": "// No rate limiting — unlimited password guesses:\nif ($_POST['password'] === $user['password_hash']) {\n // login success\n}", "good_code": "// Rate limit login attempts per IP and per account\nclass LoginController {\n public function login(Request $req): Response {\n $key = 'login_attempts:' . $req->ip() . ':' . $req->input('email');\n\n if ($this->cache->get($key, 0) >= 5) {\n return response()->json(['error' => 'Too many attempts'], 429);\n }\n\n if (!$this->auth->attempt($req->only('email', 'password'))) {\n $this->cache->increment($key);\n $this->cache->expire($key, 900); // 15-minute window\n return response()->json(['error' => 'Invalid credentials'], 401);\n }\n\n $this->cache->delete($key);\n return response()->json(['token' => $this->auth->token()]);\n }\n}", "quick_fix": "Add rate limiting + account lockout after N failed attempts + CAPTCHA on login; use bcrypt/Argon2 to make each guess expensive", "severity": "high", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/brute_force", "html_url": "https://codeclaritylab.com/glossary/brute_force", "json_url": "https://codeclaritylab.com/glossary/brute_force.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Brute Force Attack](https://codeclaritylab.com/glossary/brute_force) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/brute_force" } } } }