I’m not sure I understand. Like, how do they stop a single IP from trying hundreds of thousands of user names until each one gets locked out? There’s typically a limit there to how many you can try before you’re just denied access.

I’m not a hacker, but my understanding is that isn’t how password cracking happens. It doesn’t go through the UI.

When a company has a data breach that gives the attacker a list of user names and passwords, the passwords are hashed, i.e. translated from the plain text password to a seemingly random string. It would look something like:

binaryblob, qhbzxtwzl2 TitsAndWhiskey, haubedhhd24

Now hashing is one-way. Even if you know the hashing algorithm used, you can’t deduce the plaintext password from the hash.

When you log into the site, it hashes the plain text you’ve entered, then compares it to the hash stored in the DB for that user name. If it matches, you’re authenticated.

So “all” the hacker needs to do if he has that list of user/hash combos is to figure out which hash algo is being used, then try every single character combo to see what generated hash matches. This is called “brute force” and it takes a long, long time. Impossibly long once you get into more than 8 or 9 chars.

To speed things up, there are lists of common passwords, words, and number/letter replacements that typically appear in passwords.

AI should theoretically be able to make better guesses based on your user name, either through commonality with other, similar user names, or by scouring the web to make better guesses about what you might use as a password based on your web history.

Not sure how this particular tool is purported to be working, but that would be my theory of how to use AI to speed up password cracking.

But the point is that attempts aren’t limited by the UI at all, since the raw data is obtained via a data breach.