Typically brute forcing is used against leaked/hacked password tables, not live login pages which should be rate limited (you can only try to log in so many times per second / fail so many times before it stops you).

Passwords are not (or at least *should not* be) stored in plain text. They are stored as hashes. A hash is what is essentially a one-way math formula, it’s extremely easy to do in one direction but almost impossible to do the other direction. Imagine you have two very large prime numbers and want to multiply them together. Pretty easy. Now imagine you have just that result and need to factor out the prime numbers. That is very, very difficult.

So the hash takes your “Password” and turns it into “dc647eb65e6711e155375218212b3964” which is stored. Then when you try and log in it takes whatever you put into the password field, runs it through the hash, and checks if it matches. But if you put the hash in the password field you end up with “b8498ee29e56e711a268ae8cc461ae94” which doesn’t match. So it’s relatively safe to store this way.

They should also be “salted.” Basically a small unique number or string stored with your username which is added to your password. That way if two people have the same password the hash value isn’t the same, which means each password has to be cracked individually as every password which is “Password” won’t be the exact same hash value.

So the password table would look something like “Username”, “45”, “add1457e536e0123044b10f40beec49e”

So how does one brute force a password?

Well, it turns out that people really aren’t actually all that original and we’re really *really* bad at coming up with passwords. There’s certain words and patterns that come up all the time.

So you set up a program to run the same hash as the company and you use a password generator that pulls from a database of passwords and mutates those passwords in common ways and according to the password rules that you know of for the list.

So it’ll try “Password”, “P@ssword”, “password1”, “Password1”, “PassWord” and so on and so forth.

This seems like it should take forever, but depending on the hash method and hardware used a good gaming computer can run through millions and millions of hashes per second. A good hash for “at rest” password storage should be extremely computationally expensive because it doesn’t really matter to the user if it takes 0.1 seconds to hash the password so they can log in. Heck, they probably wouldn’t even notice. But if someone was trying to hash a 100 million passwords against a stolen password table it really adds up.

This is called a “dictionary” attack and it’s the main method of brute forcing a password. You basically try everything until something works. If the dictionary attack fails, though, and you really really need to get into that account, you can do the next step of brute forcing. Try “AAAAAA1”, “AAAAAA2”, “AAAAAA3,” ect. This won’t really work against anything but the oldest and most obsolete hashing methods because it’ll simply take too long to get anywhere, especially if the user didn’t go for a minimum length password.

If you ever forget your password and the service can tell you what password you used? RUN. Change the password to something you’ve never nor will ever use however many times it takes until it stops complaining about password re-use and refuse to use the service. The other end should **never** know your password.