A
brute force attack systematically tries every possible password. Online brute force = against live login (slow, lockout risk). Offline brute force = against stolen hashes (fast, GPU-accelerated).
Long passwords make brute force computationally infeasible. Account lockout stops online attacks. Key stretching (bcrypt) slows offline attacks. MFA defeats brute force even if password is found.