So, we’ve seen how easy it is to write a script which can at least cycle through some passwords for a given username. You might say, “Ok, that’s an interesting contrived example. But can an attacker really guess a password?”

Here's a list of the 10,000 most common passwords. That’s a pretty good start for any attacker. Think about it—have you ever come across somebody who uses "password123" or "qwerty"? It might even be you!

If an attacker knew a few usernames for your system, and they ran a script to loop through these common passwords, they might get a hit.

With every allowed attempt of a username and password combination, the chances of breaching an account increase.

This is a classic case of broken authentication, which is #2 on the OWASP Top 10 API Security Risks. If your application doesn't properly protect against automated attacks, you’re asking for trouble. Without safeguards, your users' accounts are at significant risk.

Passwords are often the weakest link in a system’s security:

Users reuse passwords across multiple sites.

Users choose easy-to-remember (and easy-to-guess) passwords.

Users rarely update their passwords.

All of these factors make brute force attacks frighteningly effective.

So let’s get back to our question: Can an attacker really guess a password? Absolutely. And if you're not taking the right precautions, it could happen sooner than you think.