Anatomy of the Dark Side If you run a service with authentication, your servers will be targeted with brute force attempts. There are a couple of interesting attacks here that we will explain, and cover controls for including Standard Brute Force, Wordlists, Targeted Wordlists and Credential Stuffing. Brute Force and Password Entropy An actual brute force attack involves iteratively/repetitively generating possible passwords. Think ‘A’, ‘B’, … ‘AA’, ‘AB’, … and so on. This kind of attack is unlikely to occur over network due to the number of attempts expected to succeed. Although, theoretically, this could ultimately break any password, the network is too slow to try this. For instance, a week password of just 5 characters would like ~(95)^5 about 7 Billion passwords. Trying passwords randomly, we expect a 50% chance of success after covering 50% the space or 3.5 Billion. At 10 passwords per second this would take 4,000 years. This tactic simply isn’t viable