eli5: how does “brute forcing” a password work?


So I get the more complicated and long the password the harder it is to brute force, but do these programs start with like 111aaa and then go to like 111aab and so forth. Or, are they just trying every combination randomly? If the latter, isn’t there a chance (a very small one) that if it is kinda random that they could break a really good password on like the first try? Similar to winning the lottery? If it’s not random, that has its own issues. I don’t get it. Help.

In: 0

You keep trying passwords over and over again. Ideally you have some information on the person who’s password you are trying to break and start by using common personal passwords and work from there.

It depends sometimes they will use a dictionary and fire the dictionary (metaphorically speaking) at the password, sometimes they will start from the ground and go through all possible combinations.

There are tons of ways, they’ll often start with the obvious choices like “password” or 123456789 or whatever, but after that, it’s up to them how they want to keep going. They’ll most likely start lower to high though, but that’s just because it takes so much less time to check short passwords.

You could think of it as winning the lottery, but randomly guessing a password is so much less likely than that. Assuming 65 possible characters (all capital and lowercase letters, numbers, 3 symbols) and a password of length 8, you’d have a 1 in 319,00,000,000,000 chance or guessing it right, which makes it about a million times less likely to happen than winning the mega millions lottery.

Generally speaking brute force password hacking isn’t going to be that successful against a specific account, especially for any site that has any basic countermeasures like a cooldown between attempts. Yes, typing in a random password could result in you getting in.

However, there’s multiple ways to do it. For example a large majority of people use simple passwords like “password” to secure their account. By trying all the most common passwords first and then adding a dictionary to the list you can get into a lot of accounts. Unless you really need to get into a specific account if you try a ton of accounts chances are you’ll get into quite a few quickly.

Brute forceing is essentially keep trying until you get it right.
And there’s usually a script for what order it attempt what.
Like first try the 1000 most common passwords first, so it would try Password123 before it attempt 52knH8xRwue9