A brute force attack tries millions of usernames and passwords per second against an account until it strikes gold. Although these attacks are quite simplistic in method, they continue to collect victims in their millions.

Here we cut through the jargon to explain how a brute force attack works, whether it's legal, and how it holds up to current security systems.

How does a brute force attack work?

A brute force attack is used to gain access to online accounts or stolen files by guessing usernames and passwords.

During a brute force attack, a computer program works at a vicious speed, trying infinite combinations of usernames and passwords until one fits.

How fast is a brute force attack?

The speed at which your password is cracked depends on:

The strength of your password

The power of the criminal's computer

Here is a quick guide to both:

Speed depending on password strength:

Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second.

There are 94 numbers, letters, and symbols on a standard keyboard. In total, they can generate around two hundred billion 8-character passwords.

The longer and more random a password, the tougher it is to crack. A 9-character password that includes a unique character takes around 2 hours to break; one without a unique character lasts just 2 minutes!

In comparison, a 12-mixed-character password would take three centuries to crack.

The takeaway

A simple password made up of only lowercase letters produces a lot fewer combinations than a password using a mix of random characters – around 300 million, to be exact. Therefore, computers don’t need much effort to guess a simple password – 8.5 hours on a Pentium 100, and instantly on a supercomputer.

(A Pentium 100 can try 10,000 passwords a second. A supercomputer can try 1,000,000,000 per second). So it's best to re-think your password.

Is a brute force attack illegal?

The only time a brute force attack is legal is if you were ethically testing the security of a system, with the owner's written consent.

In most cases, a brute force attack is used with intentions to steal user credentials – giving unauthorized access to bank accounts, subscriptions, sensitive files, and so on. That makes it illegal.

XChaCha20 encryption

NordPass uses cutting edge XChaCha20, making it one of the most secure password managers. XChaCha20 also supports the 256-bit key, which is the strongest encryption currently available. Favored by Google and Cloudflare, this level of encryption is so advanced it would take a supercomputer centuries to crack.

Deep security system

Encryption is only one part of a security strategy, so it's crucial to inspect how all the ingredients are mixed together. When a formidable algorithm like XChaCha20 sits inside a high-defense system like NordPass, an attacker has no chance.

In reality, this is exactly what separates NordPass from products that offer familiar, surface level features. It’s a deeply complex defense system built from the inside out.