It’s very rare that hackers just start trying random passwords

However; if you have system access you can change attempted logins to 999999

They would usually use a known function, it is the hash itself which is the somewhat secret information. Once they have the hash they can test against it on their own machines, there is nobody to lock them out.

If the hash-key is leaked, then they have a copy of the user database on hand. Their own computers would not put a limit on how many attempts they can make. They just keep testing until they get a successful crack, then they can login to the real web site once and just be successful on the first try since they now know the password.

How to generate a good hash is a complex thing, so it’s actually quite common to use pre-written programs to do it. Which means the hashes follow a known pattern and is very recognizable. Especially since many of them are designed to be upgraded over time so there is information specifying which hash algorithm is used to allow said upgrades. Some web sites might choose a favourite from the list, but incredibly few are using something totally unique and unknown.

They test the leaked password against a table of prehashed values, called a rainbow table. If there is a match, the result is they have the plaintext password to log in with.

[https://en.wikipedia.org/wiki/Rainbow_table](https://en.wikipedia.org/wiki/Rainbow_table)

> I assume every website uses a unique function for converting passwords into keys.

You are wrong. they all use the same well known hashing algorithms (in the case of the Internet Archive leak, bcrypt) . Security through obscurity doesnt really work so there isnt a point to using a unique algorithm.

and since the hashes were leaked and the hacker has them and the algorithm locally, there is nothing to shut them out of.

if you want something “fun” to do, try to find the password that hashes to `$2y$10$fksFP0dp5MOKVhl9z8mTqe1Jx8r0zr1EOEkCpjo7Kf9JJpZ11V0NO` in bcrypt. (here is a website to generate the hashes even if you dont know how locally https://bcrypt.online/)

so hackers usually have a list of common passwords right and they just keep hashing them until they find a match. they automate it with bots to try tons quickly. not knowing the function is rough but often sites use similar algorithms. kinda wild how much tech nerds can do with just a little bit of info

so hackers use what’s called a rainbow table or just pre-compute a bunch of hashes for common passwords. they just compare their hashes to the leaked one. if the hashes match then they got the password. and yeah most sites have unique hashing methods but like you said sometimes they can brute force common passwords using lots of attempts without getting noticed. that’s why having a long password is key bro.

They do know the hash function, there are only a few standard password hash functions and the hash itself generally specifies which hash function was used to create it. Creating a custom hash function and then keeping it a secret is generally not practical or useful. It’s hard to test the security of a hash function, the standard ones in use are considered secure because they’ve been around a while and nobody has figured out how to break them yet. Your custom hash function built by your barely cryptography literate engineers would probably be deeply flawed, and the entire premise is an anti-pattern called “security through obscurity.”