NEW Pwnitoring - Data Breach Monitoring
Back to the blog
Dr. Dominik Schürmann
January 22, 2025

Brute force attacks on password managers: How to protect your passwords

Password managers provide a simple and secure way to store and manage passwords. But how resilient are they to brute force attacks? This type of attack aims to crack master passwords through systematic trial and error — a risk that can be mitigated to varying degrees by design decisions made by password managers.

Brute Force Attacks: An Overview

A brute force attack is when an attacker tries as many master password combinations as possible until access is successful. Such attacks are particularly effective when attackers can perform an unlimited number of attempts without the provider or the user knowing about them. Key factors for the success of such an attack are:

  1. Offline access to encrypted data: If a password vault can be copied and edited locally, there is no way to detect or stop the attack.
  2. Technical resources: Cheap hardware and specialized software make it possible to crack even complex master passwords relatively quickly.
  3. Design of the system: Systems that do not implement limits on attempts or do not implement additional protective measures are more vulnerable.

An aggravating factor is that attacks can take place offline once the encrypted vault has been stolen. This makes traditional password managers an attractive target.

Typical weak points of traditional password managers

Traditional password managers are often based on a central master password, which allows access to all stored data. This results in a number of weak points:

  • Unlimited attempts: Since the vault can be edited offline, there is no way to limit the number of attempts.
  • Highly attractive for attackers: Once stolen, a safe can be permanently attacked without the provider being able to intervene.
  • Costs for attackers: Even with manageable resources, attackers can crack a 12-digit master password through systematic trial and error.

These weaknesses mean that attacks can often be scaled, which increases the risk for users.

Protection measures against brute force attacks

To make brute force attacks more difficult, some systems use alternative approaches:

  1. Multi-factor authentication (MFA): Access requires not only a password, but also a second factor such as a device, PIN, or biometric data.
  2. Limited attempts: Systems that only allow a certain number of input attempts make systematic testing difficult.
  3. Physical access: Solutions that link access to registered devices protect attackers from being successful without physical access.

Example: heylogin's security approach

A specific example of an alternative solution is heylogin. Instead of a central master password, this system uses registered devices and an additional PIN. In order to gain access, an attacker would not only have to guess the PIN, but also physically take possession of the registered device — such as the smartphone. This physical barrier makes brute force attacks extremely unattractive because they cannot be carried out remotely (remotely) and are therefore not scalable.

Even if a device is stolen, there are additional protection mechanisms: After a maximum of 9 failed PIN entries (for example with iOS), access is blocked. This makes the effort for an attacker disproportionately high, while the potential benefits remain low. This design ensures that an attack is simply not worthwhile for the attacker.

conclusion

The resilience of a password manager to brute force attacks depends largely on its design. Systems that dispense with central passwords, limit attack attempts and bind access to physical devices offer greater protection. Users should consider these aspects when choosing a password manager.

Protect effectively against brute force attacks now

Start for freeBook a DemoKostenlos starten