Brute Force Attack (BFA)
An attempt to crack a password or key through automated trial and error.
What is a brute force attack?
Brute force attacks involve the use of complex software to flood a system with every potential password or key in order to find the correct value. In theory, such an attack could be used to guess any password or key and gain access to encrypted data. The theoretical amount of time required for a brute force attack to succeed is used as a key measure of the strength of an encryption system.
The resources required to conduct a successful brute force attack on a well-secured system are considerable. The amount of time required to guess a password grows exponentially (as opposed to in a linear manner) as the length of the password grows. As such, the bit size of cryptographic keys has gradually increased, from an initial standard of 56 bits up to the modern standard of 128 or 256 bits.
Cracking a 256-bit key requires very significant levels of computational power — so much so that serious brute force attacks are generally only possible using supercomputers.
Supercomputers themselves require extremely tightly controlled environmental conditions, and have very high energy requirements. As such, the most advanced brute force attacks are generally thought to be the preserve of state actors. However, modern GPUs and dedicated hardware known as ASICs — both very widely available — are also very well suited to password-cracking tasks, and are accessible to virtually anybody.
Some forms of encryption are theoretically impervious to brute force attack. These include one-time pad cryptography. Rather than the use of brute force, illegitimate access to systems using this type of protection generally rely on exploiting human error in a system’s implementation.