They don’t.

People reuse passwords all the time. Those passwords end up in other breaches. They try those passwords on many other sites. It’s an automated process using servers and other computers to test out the logins.

A common method is to intercept your login over the network or wifi. That login is encrypted into a hash. Now they compare that hash to rainbow tables (known passwords). To brute force, they don’t have to login, they know what encryption your system uses and will run possible passwords into another program using the same encryption until they get a matching hash.

They use botnets that distribute the attacks from dozens of source IPs and attack multiple targets simultaneously in attempt to get a successful login.

The bots then attempt random login attempts using different username and password combinations. Hackers know full well that 3-5 attempts will likely lock out an account and that would possibly alert an admin that something is going on, so they program the bots not to try the same user account 3 times in a given period.

Between thousands of different usernames, and thousands of different passwords, against thousands of potential targets, sooner or later they’ll get a successful login.

Also it’s a little known fact that the ‘Administrator’ account in Active Directory can’t be locked out, so they brute force that account non-stop.

Those systems have been put into place to prevent brute force attacks, they aren’t everywhere.

Also, websites frequently store passwords, etc, in an encrypted database. This is supposed to stay private to their servers, but sometimes those databases get stolen. Once the database is stolen, it is just a file — the hackers have a copy on *their* computer, so they don’t put any rate-limits into *their* software, which they use to attack the database. This is where they can really go crazy with the brute-forcing.

They can use proxies to make the entries appear from a completely different system, or sometimes abuse different login methods to that website. For example, awhile back, while Twitter itself DID lock you after multiple failed attempts, you could attempt to login via TweetDeck or Mobile Web Twitter an unlimited amount of times.

For the second part. Not all websites have a 3 attempt limit. Either it’s more or unlimited. I’ve failed like 10 times and no problem arose. And they would only brute force websites like that. They might also be able to hide the attempts In order to bypass the attempt limit.

Usually they do this either on systems that don’t have such lockouts (to prevent just those kinds of attacks) or they steal an encrypted database and can try those attacks on them at their own leasure.