Glossary

Brute-force attack

exhaustive key searchbrute force

A brute-force attack systematically tests candidate keys or secrets until it finds one that produces a valid result.

Definition

A brute-force attack tries candidates without exploiting a shortcut in the cryptographic design. For encryption it may enumerate every key; for passwords it tests guesses from a chosen search space. The attack succeeds only if the correct result can be recognized.

What determines the cost

Cost depends on effective key entropy, work per attempt, available parallel hardware, rate limits, and the fraction of the space searched. Adding one truly random key bit doubles the worst-case search space. A 128-bit random key is beyond realistic exhaustive search with known computing technology.

Brute force and smarter attacks

Dictionary and cryptanalytic attacks prioritize likely candidates or exploit structure, so they are not pure exhaustive search. Weak passwords, small classical key spaces, leaked verification data, and offline attacks make brute force practical; strong keys and deliberately expensive password hashing raise its cost.

Frequently asked questions

Only if the key is in the searched space, enough resources are available, and a correct candidate can be verified.

For a uniformly random key and a full unordered search, about half of the key space on average and the entire space in the worst case.

No. A dictionary attack tests likely human choices first; brute force systematically covers a defined space.

See also