I'm not an expert but I have an IQ over 9000.
How I might attack a password.
A. List attack
I will get a list of "common passwords" derived from compromised user password list (the user account you made in ten seconds, 5 month ago because some Jew webpage made you).
> "12345678" and "nopassword".
B. low entropy Brute force of the password list
Common passwords with one character variance, common passwords with 2 character variance.
> 1234s6789, Nopassword1
The site made you add a symbol and a number, I'm so scared.
It's only if you got this far that any real effort has to be made, honestly if you're not special I will just give up and find a stupider person.
C. dictionary attack
Instead of guessing gibberish I will use whole words.
Long passwords are often made up of whole words and at this point I know your password is fairly long.
There are far more words in any given language than characters (this BTFO's Chinese users incidentally).
Many common phrases will already have been covered in A. "common passwords"
I start to assume things like "If there's a 'Q', the following character is 'u'"
The way this works technically a word and a phrase based attack aren't really separate
> hitlerdidnothingwrong
> therighttobeararmsshallnotbeinfrienged
If this didn't work you're a CHAD with a password like
zgn$%w5jkgkn994 written under your mouse pad like my Grandma.
That's when we get into hash collisions, pre-computed hash values, hoping other elements (like servers storing plaintext password outputs) makes our life easier