Brute force attacks lack glamour. They involve no clever exploitation, no zero-days, no carefully crafted payloads. An attacker simply tries credentials repeatedly until something works. For an attack technique that has been understood for decades, brute force has demonstrated remarkable staying power. The reason is depressingly simple: it still works often enough to be worth running, and many environments still fail to defend against it properly.
Modern Brute Force Looks Different
The cliché image of brute force, hammering a single account with thousands of password attempts, has largely given way to subtler variants. Password spraying tries one or two common passwords against many accounts, avoiding lockouts that would trigger on any single account. Credential stuffing reuses combinations leaked from other breaches. Slow brute force spreads attempts across hours or days to evade rate-limiting that watches short windows. external network penetration testing that includes authentication probing reveals which approaches succeed against your specific configuration.
Common Targets
Public-facing authentication portals attract continuous brute force traffic. Microsoft 365 sign-in endpoints, VPN concentrators, remote desktop gateways, mail servers, and any SaaS application with leaked credentials all see sustained pressure. The attack rate against typical UK businesses runs into thousands of attempts per day, most of them automated. The successful ones rarely show up in the headlines because the resulting compromise gets used quietly for further attacks.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: Almost every organisation I assess has at least one authentication endpoint without proper rate limiting, often on a legacy service that everyone forgot was still running. The fix is straightforward, but only after the endpoint has been identified, which is exactly what regular external testing is for.
Multi-Factor Authentication Helps But Is Not Magic
MFA blocks most simple brute force success cases by requiring something beyond a password. The protection is real, but it has limits. Attacks that bypass MFA through token theft, MFA fatigue prompts, SIM swapping, or social engineering have all featured prominently in recent years. Phish-resistant authentication using FIDO2 raises the bar significantly, and is increasingly recommended for high-value accounts. Plain TOTP and SMS-based MFA, while better than passwords alone, no longer represent state-of-the-art protection.
Account Lockout Versus Rate Limiting
Account lockout policies are a blunt instrument that can be turned against you. An attacker who knows valid usernames can lock out every account in your environment, denying service to legitimate users. Rate limiting, applied per source IP and per account, blocks attacks without producing the same denial-of-service vulnerability. Modern authentication systems support sophisticated rate limiting, including escalating delays and source reputation, but the configuration has to be set up explicitly.
Visibility Into Brute Force Activity
Authentication logs, ingested into a SIEM and monitored for unusual patterns, catch brute force attempts in progress. Watch for elevated failure rates from single sources, distributed failures across many accounts, successful authentications immediately following bursts of failures, and authentication from regions where you have no users. Tune detection to your environment, since legitimate failure rates vary widely between organisations.
Practical Hardening
Enforce MFA everywhere, prefer phish-resistant methods for privileged accounts, implement rate limiting on all authentication endpoints, and monitor for the patterns above. Run periodic vulnerability scanning services that includes authentication endpoint testing as part of the standard scope. Brute force has been around long enough that defences should be mature, but operational reality often falls short of policy. Closing the gap between the two is what reduces real risk.
