Password Hacking – 5. Attack Types – Bruteforce

What is a brute force attack?

A brute force attack is a password attack where every possible combination in a range of characters is generated and used against the password hash.

For those visual learners, a brute force attack is presented pretty well with a Rubik’s Cube. The brute force attack would be the act of your hand turning the cubes in every possible direction to create different combinations until finally the Rubik’s Cube is solved and you have matching colors, the password.

When selecting a range of characters to use for a brute force attack, you have a few options. Below are the ones available in the popular cracking program, Brutus.

  • Numerical – Use any numbers from 0-9
  • Lowercase Alpha – The lowercase alphabet
  • Uppercase Alpha – The uppercase alphabet
  • Mixed Alpha – Both lowercase and uppercase
  • Alphanumeric – The lowercase and uppercase alphabet plus digits 0-9
  • Full Keyspace – Everything above including all the special characters on your keyboard.
  • Custom Range – If you have an idea of the characters included in the password(s) you can create a custom list of characters to use.

Each range option yields a different amount of possible password combinations. Let’s look at how many combinations there are for a password of 0-6 characters in length.

  • Numerical – 1,111,110 Passwords
  • Lowercase Alpha – 321,272,406 Passwords
  • Uppercase Alpha – 321,272,406 Passwords (obviously the same because it’s the same amount of characters)
  • Mixed Alpha – 20,158,268,676 Passwords
  • Alphanumeric – 57,731,386,986 Passwords
  • Full Keyspace – 697,287,735,690 Passwords

For a six character password, we are hitting over 697 Billion combinations for the full keyspace! And by just adding one more character to the password making it 0-7, the number of combinations jumps to 65,545,047,154,955, that’s over 65 Trillion! As you can see, it makes a big difference having an idea of what types of characters are being used in the password(s) and how long it is.

Calculating Number of Combinations

You now have an idea of how the number of combinations can grow with the addition of a new character or an extra character in the password, but how are these numbers calculated? Simple.

If you are doing a Numerical attack on a 6 character long password, that means there are 10 possible different characters (0-9) that you can use. So the equation to calculate the number of different combinations is:

# of different possible characters password length

So the expression for our example would be:


Which, once calculated, comes out to 1,000,000 combinations?

Wait! Didn’t I state that there are 1,111,110 possible combinations for the same character set before? Yes, but it was for passwords that consisted of 0 to 6 characters long, not just 6. If you don’t get what I mean, look at it this way. When I’m looking for all the possible combinations of a password that is of length 0 to 6, I need to account for the combinations of all the 6 character length combinations, 5 character combinations, 4 character combinations and so on. If you were doing it out, this is what it would look like:

106 + 105 + 104 + 103 + 102 + 10 1 = 1111110

This would get pretty tedious if you had to do it manually for long numbers, so here’s a simple C script I put together that does it out for you:


#include <stdio.h>

#include <math.h>




int n = 10; // number of possible characters

int a = 6; // length of the password

unsigned long long int x = 0; // this will hold the answer, its set to unsigned long long int so that the variable x can

// hold the largest possible number


while (a >= 1){ // keep going until a is 1


x+= pow(n,a); //take n to the power of a and add it to x

a–;  //subtract 1 from a


} //do it again until a is lower than 1


printf(“The number of possible combinations is %lld.\n”,x); //finally print the answer




Backwards Brute Force Attack

A backwards Brute Force attack is a brute force attack against usernames. So instead of using the brute force attack to create and try a bunch of password combinations, you will be most likely be using one password and using the brute force attack to generate all possible usernames in a range of characters, trying that password(s) against it.

When should you use a Brute Force attack?

Only use a brute force attack when a Dictionary and all other options fail. A brute force attack takes a lot of resources and a lot of time to perform. Depending on how big the password is, the range of characters being used and the resources available, a brute force attack can take years to fully complete as you’ll see later on.

Leave a Reply

Your email address will not be published. Required fields are marked *