Spec & Goals 3 min
AQA Spec 3.6.1.1 — Brute-force attacks; weak and default passwords
By the end of this lesson you can:
- Describe a brute-force attack.
- Explain why weak and default passwords are a security risk.
- State how to make passwords harder to crack.
Warm-Up 5 min
Not every attack needs trickery or malware. The simplest is to keep guessing the password until one works — fast, when computers do the guessing.
Quick starter
A 4-digit PIN has 10 × 10 × 10 × 10 = 10,000 combinations. A computer can try thousands per second. Roughly how long to try them all?
Reveal the idea
Seconds. That's why short codes are weak against a brute-force attack — and why systems lock you out after a few wrong tries.
Key Concept — guessing your way in 14 min
A brute-force attack tries every possible combination of characters until it finds the correct password. Software automates it, testing huge numbers of guesses quickly.
Why weak and default passwords help the attacker
| Problem | Why it's a risk |
|---|---|
| Short passwords | Far fewer combinations to try, so cracked quickly. |
| Common words / patterns | Attackers try dictionary words and "password123" first. |
Default passwords (e.g. admin/admin) | Published online; routers/devices left on defaults are trivially accessed. |
| Reused passwords | One leak unlocks many accounts. |
What makes a password strong
- Long — more characters means exponentially more combinations.
- Mixed — upper and lower case, numbers and symbols widen the character set.
- Unpredictable — not a name, dictionary word, or
123456. - Unique per account; changed from any default.
Worked Example — why length wins 12 min
Problem: Compare how hard each password is to brute-force.
| Password | Roughly… | Verdict |
|---|---|---|
1234 | 10⁴ = 10,000 combos | Cracked instantly. |
cat | A common dictionary word | Tried in the first guesses. |
Tr0pic@l!Rain99 | 15 mixed characters → astronomically many combos | Infeasible to brute-force. |
Why: the number of possible passwords grows with the character set size raised to the length. A longer password from a bigger character set explodes the search space, so brute force becomes impractical — and a 3-try lock-out stops the attacker long before they finish.
Try It Yourself 12 min
Goal: Describe what a brute-force attack does.
Goal: Give three features of a strong password and say why each helps.
Goal: Other than a stronger password, explain two things a system can do to defend against brute-force attacks.
Hint: attempts, CAPTCHA.
📝 Exam Practice 10 min
Describe how a brute-force attack works.
Mark scheme
- It tries many possible password combinations (1).
- Automatically / repeatedly, until the correct one is found (1).
Explain why leaving a router on its default password is a security risk.
Mark scheme
- Default passwords are well known / published online (1).
- So an attacker can easily gain access without guessing (1).
Explain why a longer password is harder to crack by brute force.
Mark scheme
- More characters means many more possible combinations (1).
- So the attacker must try far more guesses, taking much longer (1).
Recap & Key Terms 3 min
A brute-force attack tries combinations until the password is found. Weak and default passwords make this easy. Strong passwords are long, mixed, unpredictable and unique. Systems also defend by limiting attempts and using CAPTCHA.
- Brute-force attack
- Trying many password combinations automatically until the correct one is found.
- Default password
- The factory-set password on a device; a risk if never changed.
- Strong password
- A long, unpredictable mix of cases, numbers and symbols, unique to each account.
- Login limit / CAPTCHA
- Defences that block automated guessing by limiting attempts or proving a human is present.
Homework 1 min
Task (≤ 15 min): A school account system lets users pick any password and never locks out. Suggest three changes that would make it much harder to brute-force, explaining each.
Model answer
(1) Enforce a minimum length and mix of characters — far more combinations to try. (2) Lock out after a few failed attempts — stops automated guessing. (3) Add a CAPTCHA — blocks bots from rapid guessing. Also accept: ban common/default passwords; add two-factor authentication.
Award marks for: three valid measures (3); a correct reason for each (3).