Depends on the context. In the case of online services, sometimes a data breach will allow access to tables of stored password hashes. Once that’s obtained, there’s no software to limit guess attempts other than available computational power.

When you create a password for a device (assuming it’s just for that device) the password gets stored somehow. The way it is often stored is through a hash which is a bit of math that is done to get a consistent and unique set of numbers and letters that represent that password.

For example:

Password123 becomes ABF375648234

Every single time that Password123 is entered ABF375648234 comes out as the result from that math. If you type password123 the outcome is E123FAAD89 so it doesn’t match which means the password is wrong.

So how do you crack the password if there is only a limited set of tries on the device? Well you grab the bit that stores the “hash” move it somewhere else and try until you get a matching output. You can try as many times as you want until you get the right output.

As a bonus: because most of these bits of maths allow for something called “collisions” which are basically a scenario where your input could be AsEooKB123777777 and the math still says ABF375648234 then that input would also be accepted. Which means that if you want to crack a password that is stored and compared in this way: you don’t necessarily have to guess the actual password which makes things easier because you can have multiple right answers.

This isn’t the only way, but it’s the most common one when talking about the “guess until you are right” approach to cracking a password.

The password attempts are not on the banking website (for example) the hackers have obtained the converted string of your password. Example password “ABC123” might be stored as “173af743be940e” in the computer handshake. Hackers can then attempt to brute force your password into the cypher and try to get a match. Then they know your password.

This involves them knowing both the stored value “173af743be940e“ and the encryption key. And those are often pulled from a cyber attack.

A complicated password makes it harder to brute force in isolation, 2 factor adds yet another layer of defense when they try to login for real.

Password cracking isn’t just about putting strings into the password bar until one comes out right.

In order for passwords to work, the application using them has to store them, but storing them in plaintext can be incredibly risky, so they’re instead hashed before they ever get sent anywhere, let alone stored anywhere. Hashing is a form of encryption where the same plaintext will always output the same hash, but 2 different strings never should.

Hashing is designed to be impossible to decrypt, and it does it’s job well on that, but it can still be risky should that hash ever get leaked. People have made applications that can rapidly translate millions of possible strings and compare the output to the proper hash until one yields the same result.

It’s these applications that password cracking is built on; the application will tell them the match and then they just input the correct information on the first try.

In addition to what others have said, there exists what are called Rainbow Tables. These are large databases of precalculated password hashes. This dramatically speeds up the process of password cracking.

Typically you wouldn’t test the actual method of logging on. You would steal the database of passwords and do your hacking on that to avoid controls like the one you’re talking about.

If you have the hash and know how it’s encrypted, you can just run millions of attempts offline. If you have to try to actually log in to a website, you could use a giant list of proxies to mask your location. 3 attempts from this proxies, 3 attempts from this proxy. It’s not nearly as fast but you can still rip through a common password list fairly quickly.