The brute force method is a problem-solving approach that tries every possible solution until it finds the right one. Rather than using shortcuts or clever strategies, it relies on raw computational power to systematically check all candidates. The concept applies across computer science, from cracking passwords to solving optimization problems, and it’s both the simplest and most resource-hungry way to guarantee a correct answer.
How Brute Force Works
The logic behind brute force is straightforward: generate every possible output, test each one against the requirements, and stop when you find a match. In pseudocode, the pattern is essentially “for every possible answer, check if it satisfies the problem; if yes, return it.” This is sometimes called “generate and test” or exhaustive search.
Consider a combination lock with three digits, each ranging from 0 to 9. A brute force approach starts at 000, then tries 001, 002, and so on through 999. There are 1,000 possible combinations, and you’re guaranteed to find the right one eventually. You don’t need to know anything about how the lock was set. You just need patience.
This same principle scales to far more complex problems. Searching for a specific item in an unsorted list, matching patterns in text, or finding the shortest route between cities can all be solved by brute force. The method always works given enough time. The question is whether “enough time” is seconds or centuries.
Why It Gets Expensive Fast
Brute force algorithms grow in cost at rates that quickly become impractical. For simple problems like searching an unsorted list, the time grows proportionally to the number of items. But for problems where you’re checking combinations, the growth is exponential. All brute force search algorithms take time proportional to the number of possibilities raised to the depth of the search, which means adding even a small amount of complexity can multiply the work enormously.
A concrete example: an 8-character password using uppercase letters, lowercase letters, and digits has 62 possible characters per position. That produces 62 to the 8th power, or roughly 218 trillion possible combinations. If the password also allows special characters, that number climbs higher still. For a sorting or searching problem, a brute force approach that checks every pair of elements in a list takes time proportional to the square of the list size. With 100 items, that’s 10,000 operations, which is fine. With 10,000 items, it’s 100 million, which starts to matter.
The traveling salesperson problem illustrates the ceiling well. Finding the shortest route that visits every city exactly once requires checking every possible ordering of cities. With 10 cities, exhaustive search is feasible and has been used in real transport network planning, such as optimizing routes across the 10 municipalities of the Rijeka urban area in Croatia. But with 20 cities, the number of possible routes exceeds 2 quintillion. At 50 cities, no computer on Earth could finish the calculation before the sun burns out.
Brute Force vs. Smarter Approaches
The main alternative to brute force is heuristic search, which uses knowledge about the problem to skip large portions of the solution space. Brute force methods are sometimes called “blind” or “weak” search methods because they don’t need any understanding of the problem’s structure. That generality is their strength and their weakness: they work on anything, but they’re less efficient than methods tailored to the specific problem.
A heuristic approach to the traveling salesperson problem might estimate which routes look promising based on the distances between nearby cities, then explore only those. It might not guarantee the absolute best answer, but it can find a very good one in a fraction of the time. Brute force guarantees perfection at the cost of speed. Heuristics trade a small amount of certainty for enormous gains in efficiency.
In practice, brute force is often the starting point. Programmers use it when the problem is small enough that exhaustive search finishes quickly, when correctness matters more than speed, or when they need a baseline to verify that a cleverer algorithm is producing the right results.
Brute Force in Password Cracking
The most widely discussed real-world application of brute force is password cracking. An attacker tries every possible password until one works. If the password uses only lowercase letters and is at most 5 characters long, the maximum number of attempts is about 12.4 million. On average, the correct password turns up after roughly half that many guesses, around 6.2 million.
Modern hardware makes short passwords trivially vulnerable. A single high-end graphics card like the RTX 4090 can test approximately 164 billion password hashes per second when running specialized cracking software. At that speed, those 12.4 million lowercase combinations would be exhausted in a fraction of a millisecond. Even the 218 trillion combinations of an 8-character alphanumeric password would take only about 22 minutes.
This is why password length and complexity matter so much. Every additional character multiplies the total number of possibilities by the size of the character set. Going from 8 characters to 12 characters with the same 62-character alphabet increases the search space by a factor of nearly 15 million. Adding symbols pushes it further. A brute force attack is always theoretically possible, but the goal of good password design is to make it take so long that it’s not worth attempting.
How Systems Defend Against It
Since brute force attacks can’t be prevented from being attempted, defenses focus on making them too slow to succeed. The most common strategies work by limiting how many guesses an attacker can make in a given timeframe.
- Rate limiting: Servers reject login requests after a threshold, such as 5 attempts per minute. This forces the attacker to slow down so dramatically that completing an exhaustive search becomes mathematically impossible within any reasonable timeframe.
- Account lockouts: After 3 to 5 failed attempts, the account is temporarily locked. This is effective but carries a risk: attackers can intentionally trigger lockouts to block legitimate users from accessing their own accounts.
- Multi-factor authentication: Even if an attacker guesses the password, they still need a second piece of evidence, like a code from your phone. This makes a successful breach functionally impossible for standard attackers, even if the password itself is weak.
NIST, the U.S. agency that sets federal security standards, requires systems to limit consecutive failed login attempts to no more than 100 on a single account before disabling that login method. Combined with rate limiting, this keeps online brute force attacks firmly in check, even as hardware gets faster.
When Brute Force Is the Right Choice
Despite its reputation for inefficiency, brute force is genuinely useful in specific situations. When the search space is small, exhaustive search finishes quickly and guarantees the correct answer. It’s also valuable when no efficient algorithm exists for a problem, or when you need to verify that a faster algorithm is producing accurate results.
In cryptography, brute force resistance is the baseline measure of security. An encryption scheme is considered strong when the key space is large enough that testing every key would take longer than is practically feasible, even with the fastest available hardware. The entire field of modern encryption rests on the assumption that brute force is the attacker’s last resort and that the math makes it an impossibly slow one.
For everyday programming tasks like searching small datasets, matching short patterns, or solving puzzles with limited possibilities, brute force is often the simplest and most readable approach. Writing a clever algorithm takes development time, and if the problem is small enough that brute force runs in milliseconds, the cleverness isn’t worth the effort.