A brute force attack is a trial-and-error method used to decode encrypted data such as passwords or Data Encryption Standard (DES) keys through exhaustive effort rather than intellectual strategies. The fundamental premise is that the attacker (or their software) attempts every possible combination of characters until the correct one is found. While it is technically "effective" in that it will eventually work given infinite time and resources, in practical application, it is often neither fast nor guaranteed to succeed.

The primary limitation of brute force attacks is time. As password complexity increases (the addition of uppercase letters, numbers, and special symbols), the number of possible combinations grows exponentially. For a high-entropy password, a standard brute force attack might take years or even centuries to complete, making it practically useless for an immediate breach. Furthermore, modern security systems implement "lockout" policies—such as freezing an account after three failed attempts—which effectively shuts down automated brute force attempts.

Ethical hackers distinguish between "pure" brute force and "dictionary attacks". A dictionary attack uses a pre-compiled list of common words and previously leaked passwords, which is significantly faster than trying every character combination but only works if the victim uses a common or weak password. To mitigate brute force risks, organizations use "salting" (adding random data to passwords before hashing) and multi-factor authentication (MFA). Therefore, while brute force remains a valid threat vector that must be tested, it is generally considered a "last resort" for an attacker due to its high time cost and high probability of detection or failure.