You keep trying passwords over and over again. Ideally you have some information on the person who’s password you are trying to break and start by using common personal passwords and work from there.

It depends sometimes they will use a dictionary and fire the dictionary (metaphorically speaking) at the password, sometimes they will start from the ground and go through all possible combinations.

Generally speaking brute force password hacking isn’t going to be that successful against a specific account, especially for any site that has any basic countermeasures like a cooldown between attempts. Yes, typing in a random password could result in you getting in.

However, there’s multiple ways to do it. For example a large majority of people use simple passwords like “password” to secure their account. By trying all the most common passwords first and then adding a dictionary to the list you can get into a lot of accounts. Unless you really need to get into a specific account if you try a ton of accounts chances are you’ll get into quite a few quickly.

There are tons of ways, they’ll often start with the obvious choices like “password” or 123456789 or whatever, but after that, it’s up to them how they want to keep going. They’ll most likely start lower to high though, but that’s just because it takes so much less time to check short passwords.

You could think of it as winning the lottery, but randomly guessing a password is so much less likely than that. Assuming 65 possible characters (all capital and lowercase letters, numbers, 3 symbols) and a password of length 8, you’d have a 1 in 319,00,000,000,000 chance or guessing it right, which makes it about a million times less likely to happen than winning the mega millions lottery.

Brute forceing is essentially keep trying until you get it right.
And there’s usually a script for what order it attempt what.
Like first try the 1000 most common passwords first, so it would try Password123 before it attempt 52knH8xRwue9

Imagine you have one of those locks that has three dials with ten digits each. You need to open the lock but you don’t know the combo.

Brute forcing means that you start with 000, then 001, then 002, and so on until you find the combination. For computers, obviously they can try different passwords more rapidly, but the passwords are also longer and more complex

Brute force is trying all possible combinations, you’d try them in some order so you would only check each password once, but it doesn’t have to be any particular order.

For longer passwords, it’s more practical to use a dictionary attack, based on leaked passwords people have used in other places, and then variations on those passwords with minor changes.

In the old days it was common to do as you say, set your min+max length plus a character set and start at the beginning and go until you cracked it or exhaust your combinations. If exhaust then increase your range and/or charset.

That isn’t efficient so these days you want to start with a dictionary of passwords. The dictionary is a culmination of passwords leaked from databases in addition to generated combinations using words, names, numbers, l337 speak m1cro$oft, etc.. If you exhaust your dictionary then it’s back to the drawing board.

Just to add trivia, in modern times when user account databases are leaked they generally reveal 1-way hashed passwords (can’t be reversed) instead of plain text passwords. You can’t login with the hashed passwords but you can sometimes use those hashes to determine what the original password was. In the old days you could do this by looking up weak hashes in Rainbow Tables. If you were lucky those passwords weren’t hashed and rather were encrypted (bad practice) and you could try and tackle the decryption.

Typically brute forcing is used against leaked/hacked password tables, not live login pages which should be rate limited (you can only try to log in so many times per second / fail so many times before it stops you).

Passwords are not (or at least *should not* be) stored in plain text. They are stored as hashes. A hash is what is essentially a one-way math formula, it’s extremely easy to do in one direction but almost impossible to do the other direction. Imagine you have two very large prime numbers and want to multiply them together. Pretty easy. Now imagine you have just that result and need to factor out the prime numbers. That is very, very difficult.

So the hash takes your “Password” and turns it into “dc647eb65e6711e155375218212b3964” which is stored. Then when you try and log in it takes whatever you put into the password field, runs it through the hash, and checks if it matches. But if you put the hash in the password field you end up with “b8498ee29e56e711a268ae8cc461ae94” which doesn’t match. So it’s relatively safe to store this way.

They should also be “salted.” Basically a small unique number or string stored with your username which is added to your password. That way if two people have the same password the hash value isn’t the same, which means each password has to be cracked individually as every password which is “Password” won’t be the exact same hash value.

So the password table would look something like “Username”, “45”, “add1457e536e0123044b10f40beec49e”

So how does one brute force a password?

Well, it turns out that people really aren’t actually all that original and we’re really *really* bad at coming up with passwords. There’s certain words and patterns that come up all the time.

So you set up a program to run the same hash as the company and you use a password generator that pulls from a database of passwords and mutates those passwords in common ways and according to the password rules that you know of for the list.

So it’ll try “Password”, “P@ssword”, “password1”, “Password1”, “PassWord” and so on and so forth.

This seems like it should take forever, but depending on the hash method and hardware used a good gaming computer can run through millions and millions of hashes per second. A good hash for “at rest” password storage should be extremely computationally expensive because it doesn’t really matter to the user if it takes 0.1 seconds to hash the password so they can log in. Heck, they probably wouldn’t even notice. But if someone was trying to hash a 100 million passwords against a stolen password table it really adds up.

This is called a “dictionary” attack and it’s the main method of brute forcing a password. You basically try everything until something works. If the dictionary attack fails, though, and you really really need to get into that account, you can do the next step of brute forcing. Try “AAAAAA1”, “AAAAAA2”, “AAAAAA3,” ect. This won’t really work against anything but the oldest and most obsolete hashing methods because it’ll simply take too long to get anywhere, especially if the user didn’t go for a minimum length password.

If you ever forget your password and the service can tell you what password you used? RUN. Change the password to something you’ve never nor will ever use however many times it takes until it stops complaining about password re-use and refuse to use the service. The other end should **never** know your password.

You usually have a dictionary of common passwords and just run through those rather than at complete random.

People usually use words and numbers as passwords, so going through various words and passwords speeds the process up a ton.