Generally they can’t.

Instead they will gain access to a system where they steal a database of password hashes they can test millions of combinations at their own leisure without such access controls. They aren’t just spamming login attempts because as you say they will get locked out.

Typing a username and password into the logon page of a website or app isn’t how brute force attacks can happen. Hackers can find vulnerabilities in back-end authentication services or APIs and hit those millions of times instead.

To add to u/Phage0070’s answer, there are also attacks where the attackers vary the username, but only use one or two common passwords.

As others have mentioned, it is true that there are many ways to hack account without interacting with the login page, but bruteforcing is still a thing.

Usually a hacker will use a leaked database of credentials and attempt to use them on login pages on websites.

The website will block after 3 attempts, but how does it know it was the same computer each time? Because you used the same cookie! If you delete your cookie and try again you will have more attempts, guarenteed. After a certain amount of cookie resets, the website will block your ip, and this point, you will need proxies to rotate your ip address.

All hackers do is rotate ip addresses and cookies to appear to be multiple different computers. Advanced security systems can block this using other identifiers and methods, and it gets very complicated… this is my job 🙂

A hash is how the password is stored. There’s an algorithm that takes your username and password, then combines them together to produce a meaningless jumble of symbols. This is fairly secure because a hash alone can’t be reverse engineered.

The bad thing about a hash is if you know the username that combined with the password and know the type of cryptographic method used, you can try your own passwords as many times as you like until you get a hit

So if the website is bad and has an easy to read database of usernames and the corresponding hash they can brute force the passwords easily

Hackers write programs that routinely try a single password with many thousands or more of different user IDs. Then the program tries the next password with the same many thousands or more of different user ids. If it waits an amount of time between attempts, many of these will have reset either through a valid login from the real user or a bad password timeout which many systems have. In some cases they may test an account to see if there is a bad password timeout so they know how often their program can try their account list with a new password. Then they sit back and let their program run against that company’s systems and it sends them any valid account password combinations. Even if it only tries one password a day from a list of common passwords, it can try every combination of user id with the 365 most common passwords in a year. If it can do many attempts per account per day it can test that many more. If the is no wrong password attempt lockout, it can try as fast as possible going through hundreds of password attempts every minute.

They can’t. The idea of “Password hacking” is for the most part, for modern systems, just a myth. That’s not how they gain access. There will be more detailed explanations I’m sure.

Because some people will still leave their username and password written out on a sticky note by their computer for the world to see, and this will continue to happen until the end of time.