A brute-force attack is the digital equivalent of the orcs attacking Helm’s Deep (copyright JRR Tolkien). The defense made sense against a small army, but the sheer volume of attacks meant that once the vulnerability was discovered, the original defensive strategy no longer made sense, and the walls fell. A brute-force attack uses computer programs to attempt to crack a user’s password. Attackers use this method against passwords for two reasons; 1. It is very easy to automate, and 2. It has a 100% success rate, given enough time.
The only guaranteed defense against this attack vector is using a factor other than, and in addition to a password (Multi-Factor Authentication). Additionally, limiting repeated failed password attempts (i.e. account lockout and/or rate limiting) means that an attacker would need incredible luck to guess a strong password. The combination of these two preventative controls, successfully implemented, render brute-force attacks completely ineffective.
