A brute force attack is a password attack where an adversary uses automated tools to systematically try many possible passwords until one logs in successfully. In AP Cybersecurity, it shows up as a sign of an online password attack in Topic 1.2.
A brute force attack is exactly what it sounds like: an attacker keeps guessing passwords until one works. Instead of typing by hand, the adversary uses an automated tool to fire off attempt after attempt, often working through common passwords, common password patterns, or passwords stolen from other breaches (EK 1.2.A.1).
The key idea is volume. A human might try three or four guesses; a brute force tool can try thousands. That's why one of the clearest warning signs is many failed login attempts over a short duration, along with logins at unusual times or from unknown devices (EK 1.2.A.2). The attack works because people make it easy. If your password follows a predictable pattern (a word, a two-digit year, a special character at the end), the tool doesn't have to try every combination on Earth, just the likely ones.
This term lives in Unit 1: Introduction to Security, specifically Topic 1.2 Suspicious Website Logins. It's the mechanism behind learning objective AP Cybersecurity 1.2.A, where you identify the signs of a password attack, and it directly connects to 1.2.B (how adversaries exploit weak authentication) and 1.2.C (how to make authentication stronger). Recognizing a brute force attack is the foundation for understanding why long, random, unique passwords and multifactor authentication exist in the first place. If you can spot the attack, you can explain the defense.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryDictionary Attack (Unit 1)
A dictionary attack is a smarter, narrower brute force attack. Instead of trying every random string, the adversary builds a list of likely passwords from personal info like a target's pet name, birthday, or anniversary (EK 1.2.B.2), then automates the guessing. Same idea, better aim.
Online vs. Offline Password Attack (Unit 1)
Brute forcing live login attempts is an online password attack, which leaves a trail of failed logins you can detect. An offline password attack means the attacker stole the hashed passwords and brute forces them on their own machine, where no one is watching the failed tries.
Multifactor Authentication (Unit 1)
MFA is the counter-punch to brute force. Even if an attacker guesses your password, they still need a second proof of identity like a one-time code (EK 1.2.C.3). Guessing the password stops being enough.
Authentication Log (Unit 1)
Authentication logs are how you actually catch a brute force attack. The flood of failed login attempts, odd login times, and unknown devices all show up as entries you can review.
Expect multiple-choice stems that describe a scenario and ask you to name what's happening. One released-style question describes an attacker gathering a target's pet name, birthdate, and anniversary, then using automated software to try combinations as passwords, and asks which term fits. Others test the warning signs directly, like an email account accessed from a smartphone the user never owned (login from an unknown device). Your job is to match the behavior to the right term and to know the defenses (long unique passwords, password managers, MFA). No released FRQ has used 'brute force attack' verbatim, but the concept supports the kind of explain-the-attack-and-the-defense reasoning the exam rewards.
A pure brute force attack tries every possible combination, exhausting the keyspace. A dictionary attack only tries a curated list of likely passwords, often built from common passwords or the target's personal info. Think of brute force as checking every key on the ring, and a dictionary attack as checking only the keys that look like they'd fit.
A brute force attack is an automated, high-volume guessing of passwords until one logs in successfully.
The clearest signs are many failed login attempts in a short time, logins at unusual times, and logins from unknown devices (EK 1.2.A.2).
It works because people use predictable patterns, like a word plus a two-digit year and a special character, which shrinks the number of guesses needed.
A dictionary attack is a targeted version of brute force that uses a list built from common or personally relevant passwords.
The best defenses are long, random, unique passwords and multifactor authentication (EK 1.2.C.1 and 1.2.C.3).
It's a password attack where an adversary uses automated tools to try many possible passwords until one works. It appears in Unit 1, Topic 1.2 as a type of online password attack, signaled by lots of failed logins in a short window.
Not quite. A brute force attack can try every possible combination, while a dictionary attack only tries a focused list of likely passwords, often built from a target's personal info like their pet's name or birthday (EK 1.2.B.2). A dictionary attack is the smarter, narrower cousin.
Use passwords that are long, random, and unique so guessing them becomes impractical, ideally generated by a password manager. Then enable multifactor authentication so a guessed password alone isn't enough to get in (EK 1.2.C).
Watch for many failed login attempts over a short duration, login attempts at unusual times, and login attempts from unknown devices (EK 1.2.A.2). These show up in authentication logs.
No. Many attacks lean on common passwords, common patterns, or previously stolen passwords first, since those are most likely to hit (EK 1.2.A.1). Attackers go for the easy guesses before exhausting everything.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.