Brute-Force is a fairly easy attack to understand and it is very hard to protect against. Encryption is nothing but math and since computers are very good at math, they can crack easily. Brute Forcing means trying every possible combination to find the correct value that fits in.
Brute-force attacks can be used against all the forms of encryption and the degree of success varies from type to type. These attacks are getting better and more effective each passing day as newer and faster computer hardware is released into the market.
Basics
Brute-force attacks are very simple to understand. Lets say you have an encrypted file — and you used an encryption key that unlocks it. To decrypt it, I can begin with trying every single possible password and see if that results in a decrypted file.
This can be done automatically with a computer program, so that the speed at which one can brute-force encryption increases exponentially as the available computer hardware is getting faster and faster which is capable of doing more calculations per second. The brute-force attack generally starts with a one-digit passwords then moves to two-digit passwords and so on, trying all possible combinations until it finds the correct one.
A “dictionary attack” is very similar attack and tries words in a dictionary or a list of common passwords instead of all possible passwords. This is very effective, as many people use such common and weak passwords.
Brute-Force Limits
There is a difference between offline and online brute-force attacks. For example, if you want to brute-force your way into a Gmail account, you will begin to try every single possible password, but Google will quickly cut it off. Services that provide access to such accounts will have limit on how many attempts can be made ban IP addresses that attempt to log in too many times. This is why an attack against an online service would not work well as we are left with a very few attempts before the attack would is halted.
For example, after a fixed number of failed login attempts, Gmail will give you a CATPCHA image to verify you aren’t a computer automatically trying passwords. They’ll likely stop your login attempts completely if you managed to continue for long enough. Of course now we have methods to even bypass the CAPTCHA also.
Hashing
Many of the latest and strong hashing algorithms posses the ability to slow down our brute-force attacks. Basically, hashing algorithms do additional math on a the password before they store the value obtained from the password on disk. If an efficient hashing algorithm is used, it will take thousands of times as much mathematical work to try and crack each password and thus dramatically slows down the brute-force attack. However, more the work required, more the work a server or other computer has to do each time as the user logs in with the password. Software must balance resilience against brute-force attacks with resource usage.