What is Brute-Force Attack?
A brute-force attack is a cryptanalytic method that attempts to determine a password, encryption key, or other secret by systematically trying every possible combination until the correct value is found.
Also known as: brute force, password cracking, exhaustive search
Brute-force attacks are the simplest form of attack against any secret: try every possibility. Against a 4-digit PIN, there are 10,000 combinations — trivial for a computer. Against an 8-character lowercase password, there are about 209 billion combinations — feasible with modern hardware. Against a 256-bit encryption key, there are 2^256 possibilities — computationally infeasible with any technology that could exist under known physics.
In practice, attackers rarely perform pure brute-force attacks against passwords. Instead, they use optimized variants: dictionary attacks (trying common passwords and words), rule-based attacks (applying common transformations like appending numbers or substituting characters), credential stuffing (using passwords leaked from other breaches), and rainbow table attacks (using precomputed hash lookups). These techniques exploit the predictability of human-chosen passwords to dramatically reduce the search space.
Defenses against brute-force attacks operate at multiple levels. Strong passwords and long encryption keys make exhaustive search infeasible. Rate limiting restricts the number of attempts per time period. Account lockout policies block access after repeated failures. Key derivation functions like PBKDF2 and bcrypt make each guess computationally expensive. Salting prevents precomputed lookup attacks. Together, these defenses raise the cost of a brute-force attack beyond any practical threshold.
How Vaulted uses Brute-Force Attack
Vaulted defends against brute-force attacks at multiple layers. The AES-256-GCM encryption key is a random 256-bit value, making brute-force decryption computationally impossible. For passphrase-protected secrets, PBKDF2 with 100,000 iterations makes each passphrase guess expensive. Server-side rate limiting (10 creates per minute, 30 views per minute per IP) prevents rapid automated attempts against the API. And view limits ensure that a secret is permanently deleted after a small number of accesses, closing the window for repeated guessing.