ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

What is a Brute Force Attack?

Credential cracking, also known as ‘brute force attack’ or ‘brute forcing’, is a method of using bots to identify or “crack” valid log-in credentials to a website or application by entering many different values for usernames and passwords in the hope of eventually guessing the correct combination. These log-in credentials are often obtained from lists of breached account credentials that were sold on the Dark Web or published by cybercriminals. Credential cracking can also use words from dictionaries (which involves entering a large numbers of words and variations thereof), along with other guessing techniques that may attempt variations of the victim’s name or other information obtained by the hackers. Brute Force/ Credential Cracking attacks differ from Credential Stuffing attacks in that there is no guesswork involved in the latter technique (as it uses many log-in attempts to verify previously stolen or purchased username and password pairs).

What is a Brute Force Attack

Symptoms of a Brute Force Attack

Brute force attack symptoms include a sudden increase in failed log-in attempts and a spike in customers complaining of account hijacking, unauthorized transactions, and account fraud.

How to Prevent Brute Force Log-in Attacks

Website and application administrators and security chiefs generally use brute force attack prevention and mitigation techniques that involve showing a CAPTCHA to users or suspected bots, implementing policies that prevent multiple log-in attempts within a short period of time, and a time-out period to disallow subsequent attempts when a log-in attempt fails, and enforcing two-factor (2FA) or multiple-factor authentication (MFA). Attackers’ IP addresses can also be locked out, but attackers can always switch to another address very quickly. An extreme step to mitigate brute force attacks would be to lock user accounts after a certain number of failed log-ins, and requiring the account holder to contact Customer Service. When it is essential to prevent ATO attacks, only a dedicated bot management solution can detect and prevent brute force log-in attempts by sophisticated bots.


For more information on the techniques used by attackers to carry out brute force and other bot attacks, as well as best practices for brute force attack prevention, download our comprehensive e-book 'The Ultimate Guide to Bot Management.' If you’d like to identify and quantify bot traffic on your website or application, and analyze vulnerabilities that bots can exploit, we recommend that you take advantage of our complimentary Bad Bot Analyzer service.

Related Content

Account Takeover

Bot Knowledge Base

What is Account Takeover?

Credential Stuffing

Bot Knowledge Base

What is Credential Stuffing?



The Ultimate Guide to Bot Management

Step Up and Take Action

Powered by Think201