>but do these programs start with like 111aaa and then go to like 111aab

That’s the idea. The most basic of brute force password crackers actually starts at 1, and then goes to 2, then 3, and so forth, before getting to 0 and switching to letters.

Even for a brute force approach, it’s not ideal. More typically, they’ll have a small dictionary of, say, the 10,000 most commonly used passwords and start with those and then, if they know the minimum and maximum password lengths, it’ll “skip ahead” to the most basic of those and start there.

The key is that a brute force approach can try thousands or hundreds of thousands of passwords per second. The defense, of course. is to not allow that, but, sometimes, some places just don’t.

>Or, are they just trying every combination randomly? If the latter, isn’t there a chance (a very small one) that if it is kinda random that they could break a really good password on like the first try?

Some do, although it’s not quite “random”, it’s close enough, and yes. They could win the lottery and get it on the first go. It’s even more unlikely than actually winning the lottery, but it is possible.

Depending on the cracking program they generally will first run a table of common passwords like “password” “1234567890” ect and if that doesn’t give a valid one then it will start on valid language permutations probably then random character permutations.

An upper/lower case + numbers 8 character password like “dF67WEs3” is going to throw up (26*2+10)*10^8 or about 2.2 trillion.

Which sounds like a lot, but depending on the program and hardware some brute forcing programs can do up to a billion attempts a second. A system with even only million a second guess rate could chug through that 8 character 2.2 trillion permutation password in under a month.

Some do. But most programs start with common passwords. So you would get attempts that start with things like “password”, “password1”, all 366 birthdays etc. Then when the common passwords are exhausted, it converts to methodical guessing.

As for the random chance of guessing a good password, it’s incredibly low. The most secure passwords are ones that are randomly generated.

If you take all possible characters used in a password, you get lowercase letters, uppercase letters, numbers, and symbols/special characters. In total that’s (26 * 2) + 10 + 32 = 94 unique characters.

Because of that, the odds of guessing a randomly generated password are 1 in 94^n. Where n is the number of characters in your password. Here’s how quickly it scales.

1 character password = 1 in 94 chance

3 character password = 1 in 830,584 chance

8 character password (minimum length on most sites) = 1 in 6,095,689,385,410,816 chance

16 character password =

1 in 37,157,429,083,410,091,685,945,089,785,856 chance.

Keep in mind that the odds need to be this low because computers can guess more than 100,000,000,000 each second. I did some more math, and found that with an 8 character password, a computer guessing at full speed would have a 30% chance at guessing correctly within just a quarter of a day. (I couldn’t do the math for a full day because I couldn’t find a calculator that would let me use numbers that big)

There are many methods, depending on your target, and anything known about the security procedures used by the target.

If I had **data from a data breach that included your email address, and some past passwords** you had used they might feed all those old passwords into cracking attempts. This is a targeted type of bruit force (guessing)

Then there are huge password lists. If we know that the target requires a minimum of 8 characters with a certain character set (8 characters, at least one capital and one number might be required for this web site) then we filter the “common password list” to have a shorter list that meets those criteria and feed those passwords to the target.

Some targets have a standard format for their factory passwords (My ISP uses a 10 digit numeric default password on all wifi routers.) Brute forcing this is basically a long series of feeding it new numbers.