For a very long time, bruteforce attacks have been used in cryptography to find the various key combinations to crack/cryptanalyze ciphers to clear-text. This has also been used on cracking password based authentication over the web or in the client-side applications. The way attackers do this is by trying all possible combinations of alphabets, numbers and special characters. In today's world where the computing power has no limits to the number of CPU's, GPU's, etc. with advanced systems, parallel processing, multi-core and computation power, attackers can achieve unlimited possibilities with their personal computers. In fact, most of the online attacks are not done by a single host. Attackers purchase or run their own, command and control botnets that listen to them and bruteforce the targets by vitimizing them with an extradinary computing power. The bad guys have more chances of cracking passwords on offline software where the monitoring capability does not exist in the client side application, as opposed to online applications that run on monitored and managed servers. Even on the online bruteforce attack, the attackers still have a chance to win if the server-side application does not check for the number of tries/attempts.
Attackers have a tough time doing this type of attack if they do not know the type of password computation (HASH based: MD5 or SHA-1, Function based computation, etc.), the end IP address of the internal server, is it allowed for direct public-access, if the server is in the DMZ, number of attempts allowed, length of the password, and other information that is essential for the attackers to compute the possible list of entries. One might wonder how hard it would be if the attacker did not know the length of password, which would increase the attackers choice of password entries/tries exponentially. Strength of the passwords based on the length of the password, upper-case and lower-case alphabets/letters, numbers, symbols, ordering of letters and symbols, repetition of the characters of the same type, etc.. Randomness of characters is the most important thing, when it comes to protection against bruteforcers. Although, being random alone is not enough. It is a combination of every single factor listed above, that makes the password strong. Protecting oneself against bruteforcing can be done by implementing all of the following requirements:
If you would like to go further into password guidelines there is one great resource for everything, a one stop shop. Check out NIST's "Electronic Authentication Guideline" a.k.a. "NIST Special Publication 800-63". This guideline also discusses further on the entropy of a password. There are many research articles on the password entropy and its strengths and weaknesses. We did not want to repeat the same information in PasswordAnalytics theory section.
Many articles discuss on generic bruteforce vs. smart bruteforce activity, where smart bruteforce is something where the attacker changes his options based on the context and in generic bruteforce the attacker uses default options and settings. We in PasswordAnalytics believe that most attackers are really smart by default ["never underestimate the power of your enemy" – Sun Tzu, Art of War] and hence when we talk about bruteforce, we are talking about smart bruteforce activity by default. The time taken for this smart bruteforce activity to crack passwords would vary on a case-by-case basis.