You don't crack passwords sitting in front of the login prompt. You use some exploit that lets you get into the backend of the system without the password then copy the whole ass database to your own computer. Or you do some social engineering and ask somebody who has a password that lets you get at the database to tell you. From there you can poke at the hashed (hopefully lmao) passwords at your leisure.

That’s called a brute force method of hacking and it is rarely used. If you do want to use that method switch your logic. Same password, but try a different account name. Eventually you find an account using that password

It depends. Usually by knowing the password befor they type it in. Most hackers dont try to bruteforce you password, they buy it from another hack of another side, get it from yourself through fishing attacks or use social engeneering to reset your password.

There are a few ways to do this:

Use a botnet to launch the attack from multiple computers, so that each computer only tries a few times before being locked out.

Use a password dictionary and try common passwords first, so that the account is only locked out after trying a large number of passwords.

When someone tries to hack your Google account, for example, then can phish your login and password out of you by having you click on a malicious link. Once the get access to your account, then can change recovery information (additional email addresses and phones) to theirs.

And, by having that info, the hacker can reset the password.

However, in the resent days, it became much harder to change the recovery info without using original phone/email for 2FA (2 factor authentication) steps during password reset.

But if the hacker doesn’t need prolonged access to the account, they can just take info they need and not bother to get access anymore.

Depends on the system you are trying to break in. Sometimes tracking login attempts is tied to an IP address. In this case you basically have unlimited attempts by changing IPs.

You have a list of passwords for some place that has been compromised.

You hack shitsecurity.com because they have shit security and discover that the user badpassword@gmail.com has a sha256 encoded password of

ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

You then crack this at home. Using a dictionary attack you learn that the password is (password123)

You then start to try other websites: say goodsecurity.com with the log in of badpassword@gmail.com and password123. Odds are the user reused there password for many websites and that if they have an account on goodsecurity.com you will get in.

Most hackers don't hack one specific account: they try to get any account. So instead of trying many passwords on the same account, they try the same password on many accounts. And because accounts have separate lockout counters, they are not getting triggered.

Of course, good websites also count attempts per IP, but a hacker can buy a botnet (a lot of computers infected with a virus) to get a lot of disposable IPs.

When hackers target a specific account, they usually come prepared with a short list of possible passwords - which they could get by hacking the same person on a different website with bad security. That's why experts recommend you to never use the same password on several websites - if one of them get hacked, they'll come for all the others too.