Brute Forcing Facebook Password: How To?

Here’s how to brute force a Facebook password:

Technically speaking, it is possible for someone to brute force attack a Facebook password.

Practically speaking, it’s probably the very worst way to try to hack a Facebook account.

Facebook does employ industry-standard security measures that more or less render brute force attacks meaningless.

So if you want to learn all about brute forcing Facebook passwords, then this article is for you.

Keep reading!

Brute Forcing Facebook Password: How To? (All the Info)

What Does It Mean to Brute Force a Password?

If we’re going to talk about Facebook password security and brute force, the logical starting point is with an explanation of how brute force works when it comes to cracking a password.

In reality, there are a lot of ways to get past password security.

The very easiest is usually to get the person you are attacking to tell you their password.

That’s usually chalked up to something called social engineering. It’s a little out of the scope of today’s topic, but here’s a link for anyone who is curious.

When it comes to a brute force attack, this basically means that a computer system is going to try to guess your password over and over again until it eventually finds the key to access your account.

Technically, another form of brute force would involve attacking the encryption key for the entire security system, but that’s considerably harder.

By and large, I’m going to be talking to you about a brute force attack that specifically targets your password.

To put this idea into perspective, if you have an eight-character password that only uses upper and lower case letters (no special characters), there are 200 billion different combinations that exist.

A brute force attack is going to try all 200 billion possible combinations until it gets to yours.

Even for a computer, that’s going to take a long time.

If the computer could do 100 guesses per second (which is actually fast), it would take over 63 years to guess every combination.

Or, it would take more than 30 years to reach a 50% chance of guessing your password. That’s pretty tough.

Optimizing Password Guessing

But, hackers are smart people, and they do a lot of things to try to optimize password guessing.

If they can rule out possibilities, then they can dramatically shorten how long it takes to guess your password.

For that reason, they generate lists of the most likely passwords and try those first.

If your password is on such a list, the time it takes to brute force your password could drop from decades to days.

If you’re among one of the 10,000 most common passwords, it could be guessed in minutes.

So, the real answer to this question at least partially depends on you.

Facebook does a lot to protect your password against brute force attacks, but if your password is “password,” then Facebook can’t really protect you.

How Does Facebook Password Security Work? (3 Things)

A little later, I’ll go through the ways you impact your own password security, but first, we can discuss security measures that Facebook has put in place.

I can’t say that Facebook has the most impressive security measures in the world, but they’re not really cutting corners either.

Facebook security is pretty much in the middle of the road for a major tech company.

What you might not realize is that middle-of-the-road security is extremely resilient against brute force attacks.

#1 Encryption

The first thing to understand is encryption.

Facebook doesn’t actually release their encryption methods for public viewing.

The philosophy is that this makes it at least a little harder for cybercriminals to design an attack.

But what we do know for sure is that your account is protected by encryption. That’s a big part of how passwords work in the first place.

If we then assume that Facebook is at least using industry standards (which is extremely likely), then you can trust that a fair level of protection is in place.

To clarify, the most common encryption standards are going to involve 128-bit and 256-bit encryption keys.

In the case of encryption, the higher number represents stronger security.

So, let’s assume that Facebook is using 128-bit encryption.

In order to break Facebook’s encryption via brute force, it would take a powerful computer more than a billion years.

It’s not really a risk.

Now, as I said before, attacking the encryption and attacking your password is not the same thing.

But, Facebook security is stout enough that attackers can’t get through your password with a brute force attack against Facebook’s encryption.

#2 Two-Factor Authentication

Two-factor authentication is another important security method.

With Facebook, this extra layer of security is optional, not required. So, it’s only helping you if you enable it.

On top of that, two-factor authentication technically doesn’t prevent your password from being cracked.

Instead, it protects your account in the case that someone does gain access to your password. That said, it’s an important security measure.

For anyone unfamiliar, two-factor authentication makes it harder to log into your account.

When it is enabled, it adds a second step for any login attempt.

The first step is to enter your username and password. If you clear that step, then the second factor kicks in.

For the second factor, you will register either a phone number or an email address with Facebook.

After you successfully enter your username and password, Facebook will send you a text message or an email (depending on what you chose when you enabled two-factor authentication).

This message will have a temporary code in it. Once you enter the correct temporary code, you can finish logging in.

How does this relate to a brute force attack?

Well, it doesn’t prevent someone from guessing your password. They can still do that, and they’ll know when they succeed because they’ll be prompted for the second code. 

But, having this protection means that even if your password fails, they still can’t get into your account unless they also have access to the phone or email that you registered.

On top of that, brute forcing the temporary code won’t work. It expires too fast for any computer to realistically crack it through brute force.

So, this is a nice layer of security.

#3 Failed Attempt Locks

The third major security measure in place is a lockout after you fail to enter the right password. 

You have very likely seen this before. 

After a certain number of failed login attempts (the number varies depending on who runs security for the account), the account is locked, and you can’t get back in without going through an extended authentication procedure.

The specifics aren’t always the same, but more or less, a failed attempt lock stops any more password guessing and also invokes something akin to two-factor authentication by default.

Here’s what this means for brute force attacks.

If they don’t guess your password quickly enough, then the guessing option is locked down, and the attack can’t continue.

Even in the weakest circumstances, this security measure pretty much shuts down brute force attacks.

Let’s imagine a scenario where Facebook doesn’t invoke this protection until after 100 failed attempts.

After those failed attempts, Facebook prevents additional guesses for only one minute. After that, you can try again.

Even this minimal security measure would still shut down brute force attempts.

It would add years to the process, rendering it a useless way to go after your password.

And, Facebook locks things down more aggressively than this.

The policy does change over time, but you can be locked out for a full day if you fail too many attempts.

It’s a thorough stopgap. 

Is It Possible to Brute Force Through Facebook Password Security? (2 Things)

Let’s revisit the original question.

Can someone get your password through brute force? Technically speaking, yes.

With enough different devices attacking over a long enough time, combined with enough dumb luck, it’s technically possible.

But, if your password isn’t on a shortlist of likely options, then the sheer odds stacked against a brute force attack are too much.

Effectively speaking, brute force attacks are not a problem for Facebook accounts.

#1 Why Not?

We’ve covered a few things.

First, two-factor authentication shuts down logins even when the attacker has your password.

Second, the automatic lockout severely limits how quickly a computer can try to guess your password.

When you combine that with the sheer number of possibilities at play and the fact that Facebook requires a minimum number of characters in your password, brute force can’t realistically work.

The only risk is if they get your password another way.

#2 How Your Password Makes a Difference

And that brings us to the crux of the whole issue.

I mentioned this before, but if your password is too easy to guess, even these security measures will fail (except that two-factor authentication is still in your favor).

If you’re using one of the 100 most common passwords in the world, then even with account locking and everything else, an attacker can get your password with a little patience.

But, this isn’t about brute force. It’s about predictability.

If your password is at least eight characters and is truly randomized, brute force won’t work.

Every digit beyond the eighth exponentially increases your password security, so consider making it a little longer.

Do this, and Facebook can take care of the rest.


  • Theresa McDonough

    Tech entrepreneur and founder of Tech Medic, who has become a prominent advocate for the Right to Repair movement. She has testified before the US Federal Trade Commission and been featured on CBS Sunday Morning, helping influence change within the tech industry.

    View all posts