Brute Force Attacks

A brute-force attack occurs when an attacker checks all possible passwords until the correct one is found.

When attempting to guess passwords, this method is very fast when used to check short passwords, but is generally used in combination with dictionary attacks and common password lists for more efficient guesses at longer passwords.

By avoiding user enumeration vulnerabilities you make brute-force attacks much less effective, since an attacker has to try every potential username in combination with every potential password.

Brute-force attacks are generally performed using scripts or dedicated tools, which can generate hundreds of HTTP requests per second. Even if no passwords are guessed correctly, use of such a tool may constitute a denial of service attack.

Further Reading