1. Few sites lock accounts after failed attempts. Otherwise, an attacker could still try, until the account is locked, and then the real user would be unable to get in.

2. Classic “aaaaaaaa, aaaaaaab” style brute force doesn’t happen online (by trying against a site live). Dictionary attacks may sometimes happen, but usually site A gets hacked, leaking hashed forms of passwords. You can’t read the password, but you can test whether a password matches the hash.

Bruteforcing the hashes, i.e. trying passwords until one fits the hash, is being done – but since the attacker has the entire database, they can do it “at home” without talking to the site, so no limit applies (except the time/computing capacity needed to calculate the hashes for testing).

Once the attacker has bruteforced a password, they may then possibly use it to log in to the site, but most importantly they will try the same username-password combo everywhere else. They only need one attempt per account! (They may try variants like adding different numbers, but it’s generally a small number of attempts.)

That’s why it’s so important to have completely different passwords for every site.

Usually the concern is that a data leak could result in someone getting hold of the hashed password (the scrambled version the service keeps in their database to check you entered the right password).

If someone has the hashed password they can try to guess it and check if they were right as many times as they want on their own computer.

If they find a password that works they can then use it on the real service, or other services you might use the same password for, and get it right on the first try.

Locking out an account is a great way to stop brute force attacks. Not every site will do this though.

The majority of attacks will come from people getting hold of a database leaked from a website with your password in it, and then trying your username and password on that website but also many other popular websites.

The good news is that a good website will hash your password, so you can’t just read it from the database. However if the attacker has the database they can use a brute force attack to decode those hashes.

Always use a secure password (20 random characters, or 3 words).
Never reuse passwords between websites.

Because you don’t brute force the live system directly. Attackers will have obtained a copy of the password database, and can attack it locally on their own system, where lockouts or other controls aren’t a factor.

There is more than one way to brute force a password. The purpose of a lockout is to prevent this exact type of attack, but if the attacker can get more information they can get around this lockout. Servers *usually* store password using something called a hash which is a “number” that is calculated using an algorithm that cannot be done in reverse, a password can be put through a hash algorithm and the returned hash can be stored. When someone tries to log in the server generates the hash of the password you just typed in and if its the same as the one it has stored you are logged in.

If an attacker gets the password hash database and knows which algorithm they use, they can try to brute force the password without trying to log in to the site. Once they have a password that matches the original hash they can enter that into the site and thee will be able to log in.