How to Avoid Hackers Trying to ‘Brute Force’ Your Password

cyber hacker
Getty Images/Chainarong Prasertthai

According to a recent analysis by Microsoft, hackers are extremely unlikely to attempt a “brute-force” attack user passwords longer than 10 characters. 77 percent of brute force hacking attempts were on passwords with seven or less characters, according to the study.

The Record reports that according to data collected by a number of honeypot servers set up by Microsoft, most hackers that utilize brute-force attacks attempt to guess short passwords with very few attacks attempting to target credentials that are over ten letters or contain complex characters.

The Associated Press

(AP Photo/Ross D. Franklin)

A brute-force attack is a method by which attackers try various combinations of letters and symbols to guess a user’s password. Ross Bevington, a security researcher at Microsoft, commented: “I analyzed the credentials entered from over 25 million brute force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network.”

Bevington, who works as Head of Deception at Microsoft, commented: “77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases.”

Bevington noted that only seven percent of the brute-force attempts that he analyzed included a special character. 39 percent had at least one number and none of the brute-force attempts used passwords that included white space.

This analysis suggests that longer passwords including special characters are largely safe from the majority of brute-force attacks as long as they have not been leaked online. Bevington said that based on data collected from more than 14 million brute-force attacks attempted against Microsoft’s honeypot servers, attacks on Remote Desktop Protocol (RDP) servers have tripled compared to 2020 with a rise of 325 percent.

“Stats on SSH & VNC are just as bad – they just haven’t changed that much since last year,” Bevington said. “By default solutions like RDP are turned off but if you decide to turn them on, don’t put stuff straight on the Internet. Remember that attackers will go after any brute forcible remote admin protocol. If you must have yours accessible on the Internet use strong passwords, managed identity, MFA.”

Read more at the Record here.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address


Please let us know if you're having issues with commenting.