Encryption itself is very rarely compromised. It’s the implementation of it that is.

As another commenter said, you don’t try every combination to enter the safe, that takes too long. You find flaws in the safe itself that allow you to break it open without needing the code.

Or trick the person into giving you the code.

Or waiting until the safe is unlocked.

Or by using a leaked password database and hope it works.

One good example is that typical encryption works like locking the door to your house – while the lock can be very strong, anyone who manages to steal your key while you are out can unlock the door. The overall strength of the system is only as strong as your pocket! You could lock your key in a friend’s house, but now attackers just need to steal your friend’s key. Plus, attackers can passively observe people coming and going, so they are generally well prepared to figure out where to start.

One good example is that typical encryption works like locking the door to your house – while the lock can be very strong, anyone who manages to steal your key while you are out can unlock the door. The overall strength of the system is only as strong as your pocket! You could lock your key in a friend’s house, but now attackers just need to steal your friend’s key. Plus, attackers can passively observe people coming and going, so they are generally well prepared to figure out where to start.

If you used all of the computational power in existence it would take longer than the universe has existed to break AES 256. So you’re intuition is right that hackers aren’t brute-forcing this because it’s computationally intractable. But here’s the catch, you only get that level of security if you’re using a random 256 bit key. In reality every key is either:

1) Derived from something like a password, and nobody is using 256 bit passwords (not even close). A password with 256 bits of entropy would look like this “Aj29niP8B6z9rq2wPq51vxeJTbp4fDZaHevpnn1AZvl” imagine trying to memorize that. In reality 30 bits of entropy would be high for a password, which is very brute-forceable.

2) Computer generated random keys. These will have 256 bits of entropy (or close to it, at least) but you can’t just memorize these. You have to generate and then store them somewhere. Hackers will attack either the generation process (hack into the computer where the keys are being generated and snoop on the keys) or the storage (hack into the place that keys are being stored). If you encrypt the key storage, you haven’t “fixed” the problem, you’ve just moved the target. The hackers will just go after that key.

If you used all of the computational power in existence it would take longer than the universe has existed to break AES 256. So you’re intuition is right that hackers aren’t brute-forcing this because it’s computationally intractable. But here’s the catch, you only get that level of security if you’re using a random 256 bit key. In reality every key is either:

1) Derived from something like a password, and nobody is using 256 bit passwords (not even close). A password with 256 bits of entropy would look like this “Aj29niP8B6z9rq2wPq51vxeJTbp4fDZaHevpnn1AZvl” imagine trying to memorize that. In reality 30 bits of entropy would be high for a password, which is very brute-forceable.

2) Computer generated random keys. These will have 256 bits of entropy (or close to it, at least) but you can’t just memorize these. You have to generate and then store them somewhere. Hackers will attack either the generation process (hack into the computer where the keys are being generated and snoop on the keys) or the storage (hack into the place that keys are being stored). If you encrypt the key storage, you haven’t “fixed” the problem, you’ve just moved the target. The hackers will just go after that key.

If you used all of the computational power in existence it would take longer than the universe has existed to break AES 256. So you’re intuition is right that hackers aren’t brute-forcing this because it’s computationally intractable. But here’s the catch, you only get that level of security if you’re using a random 256 bit key. In reality every key is either:

1) Derived from something like a password, and nobody is using 256 bit passwords (not even close). A password with 256 bits of entropy would look like this “Aj29niP8B6z9rq2wPq51vxeJTbp4fDZaHevpnn1AZvl” imagine trying to memorize that. In reality 30 bits of entropy would be high for a password, which is very brute-forceable.

2) Computer generated random keys. These will have 256 bits of entropy (or close to it, at least) but you can’t just memorize these. You have to generate and then store them somewhere. Hackers will attack either the generation process (hack into the computer where the keys are being generated and snoop on the keys) or the storage (hack into the place that keys are being stored). If you encrypt the key storage, you haven’t “fixed” the problem, you’ve just moved the target. The hackers will just go after that key.