They dont brute force on the site itself, instead they do it on hashed passwords that are leaked in data breaches. Basically whenever you hear in the news that so-and-so website had user data leaked, it means that encrypted versions of the passwords have been leaked. These are traded on the so called dark web and those who have the emcrypted passwords will try different combinations of characters until they find the actual passwords. Thats brute forcing basically

Hackers don’t brute force passwords by trying to login to the service over and over again. Instead, what they do is brute force password *hashes*. These hashes can be acquired from database dumps of very large sites. Even if those accounts are for a forum and contain no sensitive data, they can still be useful. The hacker will take a giant list of password hashes and then use a program like John The Ripper along with their GPU to crack the passwords ie turn the hashed passwords back into plain text. The hacker will then take those passwords and emails and check other services to see if you’ve reused the same password for other services that do contain sensitive information like bank credentials.

Also, there are attacks that hit login services but that isn’t brute force. It’s what’s called “cred stuffing”. There are lots of discord forums and dark net sites that traffic in large lists of *already brute-forced or stolen credentials* as well as programs that allow you to use them. The programs will rotate through a giant list of proxies and attempt to login to different services using the list of credentials. The program will then mark the credentials as valid or invalid for each service. If you’ve ever seen people selling super cheap Netflix, OF, Disney Plus, or Spotify accounts this is how those accounts are acquired

As someone who deals with these kind of attacks regularly, there are a few ways around this.

The first thing most hackers do nowadays is to use combination-lists. There are lists on the net with literally billions of username/email/password combinations that got stolen in the past years, for example from the adobe and linkedin hacks. Those passwords were hashed, but a lot of hackers tried to crack those passwords and shared the results. All those results combined form a ‘combination-list’ (both because they contain email/password combinations and because it is a combination of several hacks and cracking done by other hackers).

Those lists usually only have a few passwords per email-address, so even if the account is locked after a few tries, they probably are in already or have moved on to the next combination.

Those hackers also hide their tracks quite well and use “residential proxies” very often, which means those tries do not come from a single address, but from thousands of addresses, i’ve seen up to 60k different addresses in a single attack. So if you block an address after 5 tries for an hour they still can try up to 7.2 million combinations in a day.

Brute-forcing a single account with random passwords is rarely done nowadays.

But what i see the most nowadays is hacked google accounts; when they get access to your google account they get access to the passwords stored by chrome there, and if those are used the hit-rate (number of successful logins vs failures) is enormous

hackers steal the password hashed, then try out all the combinations on their own computer to decrypt it. then they enter the decrypted password.

how long will that take, 10 minutes, a year or practically forever depends on your selection of the password.

The idea of a lockout only works of you’re trying to brute force the password through some system that you can be locked out of (like a login prompt on a website). In reality password brute forcing happens when somebody has a copy of the password hash.

This makes a lot more sense of you know what a password hash is and why they’re used. A “hash” in this context is a one way function that takes an input and outputs a fixed sized output (the output size is always the same, no matter the size of the input). The function being “one way” means that there is no good way to take an output and find out what the input was. The best you can do is try different inputs and see if the output matches. When you set a password on a website the backend database doesn’t (or at least shouldn’t) store your actual password, instead they hash your password and store that, the “password hash.” When you attempt to log in they hash the password that you typed in and then see if it matches the stored password hash. This way they can check if you typed in the right password but they don’t store anybody’s actual password. This means that people with access to the db (developers, administrators, etc) can’t look at people’s passwords and they can’t accidently leak passwords. But what they can do is leak the password hashes. The password hashes aren’t useful themselves (i.e. you can’t log in with the hash itself), but what they can do is hash a whole bunch of common passwords and see if any of the hashes match. This is what hackers are doing when they’re “brute forcing” the passwords.

This is also why it’s important to not use a common password. When hackers brute force passwords they have to feed potential passwords into the hash function and if they match the password hash, so naturally they start with the most common passwords.