Have you heard about brute force and wondered what it really means? Here’s a simple explanation.
Brute force is a method of password recovery by trying every possible combination of characters until the correct password is found. Typically, these characters include numbers (0-9), lowercase and uppercase letters (a-z, A-Z), and special characters (~!@"#$%, etc.). Usually, this totals around 80-95 different characters.
How does brute force work?
Imagine you lost a password. Brute force starts by testing every possible one-character password first:
0, 1, ... 9, a, b, ... z, A, B, …
If that doesn't work, it moves on to two-character passwords:
00, 01, ... 09, 0 a, ..., 0z, 0A , 0B, …
This process goes on, checking longer and longer passwords until the correct one is found.
How many combinations does brute force check?
Here’s a quick look at how many possible passwords there can be if using 95 different characters:
| Password Length | Number of variants (for 95 characters set) |
|---|---|
| 1 | 95 |
| 2 | 95^2 = 9,025 |
| 3 | 95^3 = 857,375 |
| 4 | 95^4 = 81,450,625 |
| 5 | 95^5 = 7,737,809,375 |
| 6 | 95^6 = 735,091,890,625 |
| 7 | 95^7 = 69,833,729,609,375 |
| 8 | 95^8 = 6,634,204,312,890,625 |
| 9 | 95^9 = 630,249,409,724,609,375 |
| 10 | 95^10 = 59,873,693,923,837,890,625 |
As you can see, the number of combinations grows extremely fast. An 8-character password already has over 6 trillion combinations! Modern security recommends passwords of 12 characters or more, making brute force nearly impossible without specific details.
What if I don’t know the exact password structure?
Without knowing the password's exact length and character set, brute force can be practically impossible. For example, if you consider all possible passwords up to 10 characters with 95 possible characters each, you'd have over 60 quintillion combinations. Even powerful computers would need years to check them all.
When does brute force actually work?
Brute force works effectively only if you know the exact password structure. For example, if you're certain your password is exactly 8 characters long and uses only lowercase letters and numbers, then there are about 3 trillion combinations (368 = 2,821,109,907,456). Modern computers can handle this relatively quickly.
Important: If your guess about the password structure is incorrect, brute force will fail. Make sure your information is accurate before starting this process!