Brute Force Attacks - what are they?

Brute Force Attacks - what are they?

What are brute force attacks?

Brute force attacks are trial-and-error attempts to crack an encryption using a large number of combinations. These can be used to guess passwords, encryption keys, API keys or SSH logins. These attacks are often carried out with the help of botnets or scripts to automate the entire process. It is a relatively easy and straightforward method which does not require advanced knowledge on the attacker’s part.

Are brute force attacks effective? 

It really depends on the complexity of passwords used. Brute force attacks aren’t the most efficient of attacks as they can take a very long time to crack passwords. This is why most websites have a minimum length and special character requirements for passwords when you first create your account. Well-crafted passwords can take anywhere from 7 years of continuous processing....if the attacker has a system which can send 15 million requests every second! However, this time can be reduced by social engineering or other methods which would narrow down the possibilities of the password. Eitherway, it is still important to protect your websites from brute force attacks.

Time to Brute Force a password

# of Characters

Numbers Only

Lowercase Only

Upper & Lowercase

Numbers, Upper & Lowercase

Numbers, Upper & Lowercase, Symbols

















1 sec

5 secs




25 secs

1 min

6 mins



5 secs

22 mins

1 hour

8 hours



2 mins

19 hours

3 days

3 weeks



58 mins

1 month

7 months

5 years


2 secs

1 day

5 years

41 years

400 years


25 secs

3 weeks

300 years

2k years

34k years


4 mins

1 year

16k years

100k years

2m years


41 mins

51 years

800k years

9m years

200m years


6 hours

1k years

43m years

600m years

15bn years


2 days

34k years

2bn years

37bn years

1tn years


4 weeks

800k years

100bn years

2tn years

93tn years


9 months

23m years

6tn years

100tn years

7qd years

How can you protect yourself?

There are few methods which can be implemented by website owners to protect themselves.

1) Mandate a minimum length of 12 characters for their website passwords that includes upper/lowercase letters, numbers, and special characters.

2) Lock accounts for a certain length of time after multiple failed attempts. Also add a delay of about 2-5 seconds after every failed attempt.

3) Use 2FA (Second Factor Authentication). However, this system alone can still be bypassed by other types of social engineering attacks and so it should be used in conjunction with other security methods.

4) As users, it is important to use different passwords for different websites. If a website is compromised and the passwords used on it are leaked, at least your accounts on other websites would be safe. Hackers like to use leaded passwords across multiple accounts because people almost always re-use passwords. This is known as a credential stuffing attack.

5) Users should also be careful about where they enter passwords or other important credentials lest they fall prey to phishing attempts. You should always check to see if the address you are at is correct before entering your details.

How can Polaris help you?

If you are a website owner and afraid of how brute force attacks might affect you, Polaris has multiple features which would prevent brute force attacks.

1) Scanning for suspicious traffic

Polaris automatically scans all incoming traffic before admitting it to your website. If incoming traffic from a specific IP is suspicious and has the characteristics of a brute force attack, it will be identified and blocked. Furthermore, previously identified and blacklisted bots on our system will also be blocked. 

2) Captcha Protection

If unusual activity is detected from a certain IP, a captcha challenge will be issued to the IP before they are allowed to visit the website. If the IP is a bot or a script, it would not be able to get past the challenge easily. Repeated unusual activity will result in the IP address being blocked for some amount of time.

3) White-Listing

Polaris also makes it possible for only certain users to access the website. This is done by white listing the IP addresses of those users, which would prevent everyone else from accessing the site.

4) Geo Blocking

If you cater to specific markets only, it is possible for you to geo-block IP addresses from other countries. For example, if your website only caters to Singapore users, you can block IP addresses from other parts of the world from accessing the site.

    • Related Articles

    • Attacks - what does Polaris detect and do?

      Polaris identifies a vast amount of threats that might occur against your site. While the contents in this article are not exhaustive, it covers the more widespread and common attack types that are likely to occur against your site as well as some of ...
    • LFI and RFI attacks - how to identify?

      LFI Detection When preventing LFI (Local File Inclusion) attacks, Polaris attempts to detect if a malicious user is trying to retrieve a file that is local to an organization's web server that they should not have access to. RFI Detection When ...
    • OWASP Rules

      This article describes how to configure OWASP rules. To access OWASP Rules: Under 'SITES', select your domain and click on 'Settings'. Click on the 'Rules' tab, and ensure OWASP Rules is turned on. What is OWASP The Open Web Application Security ...
    • How does Polaris protect your website?

      What does Polaris do? Polaris provides DNS security and monitors traffic accessing your website for any malicious activities. This protects your websites from various types of attacks, including those on the OWASP Top 10 List as well as DDoS attacks. ...
    • DDoS Protection & Rate Limiting

      What are DDoS attacks? Distributed Denial of Service (DoS) attacks usually consist of a large number of requests to your website made by bots. This can result in server lag, your website becoming unreachable due to the bandwidth allocated to your ...