Brute force is an attack method that systematically tries all possible password combinations (or keys) until the correct one is found. Variants include dictionary attacks (using word lists), credential stuffing (using leaked credentials), and hybrid attacks.
In an ISMS, ISO 27001 Annex A controls A.8.5 (Secure Authentication) and A.5.17 (Authentication Information) address this risk. Countermeasures include strong password policies (length over complexity), account lockout after multiple failed attempts, multi-factor authentication (MFA), rate limiting, and monitoring of failed login attempts. CAPTCHAs provide additional friction against automated attacks. Modern brute-force attacks use GPU clusters and can test billions of combinations per second.