Hackers don’t usually try every password against the actual website.

Instead they find a way to get the website’s user database. The database holds the users’ passwords, but they are supposed to be hashed (kinda like encrypted but not exactly). The only way to find the user’s password is to brute force it and see if its hash matches the one stored in the database. If the password is weak, brute forcing it would be simple.

Most sites use an email address as username. Chances are Dave reuses passwords, so the attacker can use an existing database of leaked passwords to try if they know he uses that website. There have been many breaches and millions of passwords are known.

Let’s say a site has its user/pass database hashed so you can’t decode the password, but they didn’t salt the hash or made a poor choice of algo. It then leaks. You can then hash the public list of plaintext passwords and compare with the leaked data, this is much faster than trying to brute force the hashes, with a modern GPU it wouldn’t take long.

There are dictionary attacks that will go through words and common passwords. They also are onto your trick of replacing a with @. They can go through these dictionaries very fast.

However if you have an account lockout after incorrect guesses as you say then this attack won’t work. You will need a secure way of unlocking the account if you take this approach, so you most often see this protection on staff logins to corporate systems, rather than public websites.

In addition to the two answers you’ve already got, there are also bots running in permanence that are just going through the list of random passwords for random accounts.

If the accounts are important enough (e.g., bank account, e-commerce website with credit card saved, email address that gives access to all the other accounts with the forgot password feature), chances are, some account somewhere is trying to hack that. This are designed explicitly not to trigger the blocked account features of the websites who have them.

If it’s a weak password, even a thousand tries shouldn’t take too long. Especially because someone using weak password has a strong probability to reuse passwords so you can distribute that across multiple websites

a malicious user will never really try to brute force a password, its a wate of time and computing power(plus most secure pages will limit your attempts as a measure to avoid this).

instead what would most likely happen is that the actor would try to get a hold of the page’s database where said passwords are held evne if encrypted so that instead of trying ALL passwords, it only has to attempt the passwords used by the known users: this is known as a **dictionary attack**. thissort of attack doesnt evne need that’s page’s database, just a database where itcan determine that there is a connection(as most people tend ot reuse passwords.)

instead of trying every single word, it tries every word it knows its being used.

So the classic way a hacker would cracked your profile is by a brute force attack. Its essentially guessing and checking the password. You go to login plug in the email or username and just guess passwords. If you want to check all the variations and no the types of characters that the site allows for password like letters and numbers and special characters you got like 60 characters and you have to try all variations. Depending on how long the password is it can take millions or trillions of tries before the hacker has any statistical chance of cracking the password.

If you got n possible different characters and the password is k long and one characters can appear multiple times, to get the number of possibilities you just do n^k. So for 26 English letters a password thats 8 characters long: 26^8= ~208 billion possibilities. If you can check 1000 passwords per second it would take around 6.5 years to check all of them. So if you check randomly in 3 years you got around 50% chance of finding the password.

As you can see the possibilities grow exponential with the the length of the password so even addig one extra characters can turn a couple of months of guessing and checking to years.

Of course sites dont allow login attempts fast enough for this method to work and even implement safety features like captcha or informing the usere about login attempts. So a hack cant guess and check passwords on site. But the password is stored in the code of the site somehow since when a password is inputed it needs to validate it. The password data is often stored as the output of a cryptographic has function. This gibris looking string can sometimes be found in the html code of the site. What happens is that you input a password the input runs through the algorithm and if the output matches the stored output the password is correct.

So you would think that if you can somehow manage to get the output and know the algorithm you can run it in reverse and get the input. Lets say that the function is H(x) and x is the password like x=1234. So H(1234)=y which is some stupily long gibris but knowing H(x) and y you can make the inverse H^-1 (y)=x. As it turns out you can’t. Its not random think about it like some chaotic system where changing the input parameters slightly massively changes the output. But the same input will always give you the same output, however just by analysing what turns into what you can’t deduct the inverse.

So these has function are great for incryption. But brute force technically still works. Just check all the possible inputs and see if it matches the output you acquired from the site. Of course its still a lot of guessing and checking but the only limiting factor is your computing power. So how many passwords can you run through the function and checking the output each second. Lets work with 60 different characters and a password lenght of 8. We dont know the length but we know that the site allows only 4+ character leght passwords so we add up from 4.

The number of possibilities is 170,808,406,560,000. Lets say we can run 1 million has functions per second. To check all of the is around 5.4 years so for a 50% chance to find a match we sould run the program for 2.5-3 years.

As you can see with brute force attack despite the method you either have to be patient or have an absurd level of computing power. If however your password is only 4 characters it takes 12 seconds with the 1 million has functions per second speed to crack it. So lenght is what really matters.

256 bit incryption for instance turns your input into a 256 bit number and run that through the has function. Well more or less. But in general if you want to finda 256 bit number with brute force you got 2 characters 0 and 1 so 2^256 is the number of possibilities. With 1 million/s speed it would take 2.6×10^53 times the age of the universe to crack it.

So the strength of a password mostly depends on the length of the password. And of course how much information do we give for hacker to figure out possible password. Like important dates, name of dog etc. So the best password is a password that doesn’t relate to you in any way shape of form and is sufficiently long. Also using special characters can make a huge difference. But because of how efficient cryptographic has function are hacker don’t really brute force passwords but try to get it through scams. Like a regular email scam or a fake site.

So many tricks.

One is not going through the login/password process *on the site*, but getting the database from the site.

Another is running an algorithm cracker on the site: this takes millions of different logins and attempts them, then intercepts the hashed outputs, connects them to the correct login attempt and attempts to rebuild the algorithm in use. It’s validated by attempting what it thinks is a correct password on the site, and the easiest ones to try are the “weak” passwords…so Dave’s weak password would probably be one of the first ones to succeed. This sort of attack doesn’t work on hash-and-salt encryption, so the site would have to have weak algorithms, too, but…

Just get a little bit creative and I’m sure you can think of a hundred other ways to get a weak password. How would *you* do it?