Attackers don’t need to know that. Any reasonable brute force attack will use multiple approaches, often in ascending order of complexity. For example:
Step 1: Only 4 digit numbers
Step 2: Only 6 digit numbers
Step 3: All numbers combinations that look like dates
Step 4: Only lower case letters
…
Step 17: All possible combinations of letters, numbers and symbols
–
EDIT: Since the question keeps popping up; Why are attackers allowed unlimited tries, when the website or app or whatever usually locks you out after a certain number of attempts?
First of all, a short summary of how passwords are actually used:
When you create your account and enter a password, some fancy math is done on that password which results in a really big number. This big number is then stored in the database along with your username, like this:
AquaRegia: 54156138456156047798
SomeOtherGuy: 13259746130447797411
…
When you try to login, you enter your username and password. The same fancy math is used on the password you just entered, and the result is compared to the number that’s stored in the database. If it matches, you’re in!
Brute-forcing passwords is almost never done against the actual platform. Instead what happens is that the database of a website/app/etc. gets hacked, and someone manages to get a hold of this list of username + number pairs. Then without actually having to use the website/app/etc. they can just run the same fancy math on all possible passwords, and compare the results to the numbers from the database.
Latest Answers