They’re not doing it that way. If they’re attempting password combinations, then they already have a copy of the password database file, with encoded (hashed) passwords. Hashing algorithms are no particular secret, so what they;re doing is taking a word, hashing it, and comparing to the database to see if they have any matches.
Latest Answers