Notifications
Clear all
Topic starter
08/06/2026 5:01 pm
TL;DR: Brute force attacks remain effective because weak and reused passwords still give attackers a direct path into accounts, and automated tooling can attempt millions of guesses in seconds, according to StrongDM's analysis. The underlying problem is that password-centric access control still assumes human behaviour will compensate for machine speed.
NHIMG editorial — based on content published by StrongDM: What is a Brute Force Attack? Types, Examples & Prevention
By the numbers:
- 51% of hackers favor using brute force due to cloud architecture's vulnerabilities such as misconfigured software or easy-to-obtain admin usernames.
- 83% of Americans create weak passwords in terms of length (less than 10 characters) and character complexity.
- 80% of all attacks are brute force.
Questions worth separating out
Q: How should security teams reduce brute force risk in password-based environments?
A: Security teams should reduce brute force risk by removing reusable secrets where possible, then hardening the remaining password surfaces with MFA, rate limiting, lockouts, and breached-password checks.
Q: Why do reused passwords make brute force attacks more effective?
A: Reused passwords make brute force attacks more effective because one stolen credential pair can unlock multiple accounts, systems, or services.
Q: What breaks when organisations rely only on password complexity rules?
A: Password complexity rules break down when attackers can still automate guesses, reuse breached credentials, or crack offline hashes.
Practitioner guidance
- Eliminate reusable passwords on privileged accounts Move administrative and shared access paths to passwordless or phishing-resistant authentication first, then remove legacy password fallback where possible.
- Deploy breached-credential screening everywhere passwords still exist Check new and changed passwords against known breach corpuses and deny reuse across user, contractor, and service-adjacent accounts.
- Tighten login controls on every internet-facing identity surface Apply rate limiting, progressive delays, lockout logic, and alerting to any application or gateway that still authenticates with passwords.
What's in the full article
StrongDM's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of the main brute force variants, including reverse brute force and credential stuffing.
- Tool-specific notes on John the Ripper, Aircrack-ng, and Hashcat for readers comparing attack methods.
- Detailed prevention guidance on password policy changes, lockout logic, and authentication hardening.
- The article's worked examples of breach impact, including account compromise and remediation outcomes.
👉 Read StrongDM's guide to brute force attacks, examples, and prevention →
Brute force attacks and password hygiene: what teams need to change?
Explore further
08/06/2026 6:58 pm
Brute force remains an identity governance problem, not just a login problem. When attackers can convert weak or reused passwords into access, the failure sits in the governance model that tolerates reusable secrets across accounts and systems. That makes password policy, breached-credential hygiene, and privileged account separation part of the same control plane. Practitioners should treat brute force as a programme design issue, not a user-training issue.
A few things that frame the scale:
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%), according to The State of Non-Human Identity Security.
- The same research found that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, showing that governance maturity still lags attack reality.
A question worth separating out:
Q: What should teams do when brute force attempts target privileged accounts?
A: Teams should isolate privileged accounts, require stronger authentication, and watch for repeated failures or unusual login velocity before access is granted. If an administrative identity is exposed to brute force, the response should focus on containment, password replacement, and access path review rather than treating it like an ordinary user login event.
👉 Read our full editorial: Brute force attacks expose why passwords still fail identity security
