They don’t guess your password.

Instead they attack the site you’re logging into. They try to steal the user data. Part of that data is a big number that represents your password. When you created your account, the site did some math on your password to create this number. The math is set up so it’s impractical for someone to figure out what password corresponds to each number. When you put your password in, the site does the same math on your input, then compares the number it gets to the number it stored. If they match, it reckons you put in the right password.

The math is not perfect. And attackers can do the math. So they make huge files where they try tons of common passwords like birthdays or “password” etc. and do the math to get the numbers. Then they compare those big lists of numbers to every number in the user data they stole. If they find any matches, they’ve got that person’s password. So when they log in, they only need one try.

Over time, attackers try every possible combination of letters and make huge lookup tables. For some older versions of the math, they can instantly crack any password up to about 15 letters. They’re still working on it for newer math, we keep making the math slower and more complicated to stifle them. But even with the old math, if you had a 25 or 30 letter password, they wouldn’t have it in their big tables yet. That’s why long passwords are really good and why maximum lengths are very stupid.