A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. We may use brute-force techniques to gain access to accounts when passwords are unknown (online) or when password hashes are obtained (offline).

Although this section is entitled "Brute-Force", there are various types of password attack, which we will be concentrating on:

• Brute-force attacks: every possibility for a given character set and a given length (i.e. aaa, aab, aac, ...) is sent to the target service or hashed and compared against the target hash.

• Dictionary attacks: every word of a given list (a.k.a. dictionary) is sent to the target service or hashed and compared against the target hash.

• Rainbow table attacks: use pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. Note that this attack cannot work if the hashed value is salted.