Brute Force vs. Limited Retries

Here’s a very general question. Hackers sometimes crack a password with a brute force attack using program that tries millions of character combinations until it comes upon the correct password.

But many apps/web sites only allow a limited number of retries and/or enforce a delay between retries, so how do the hackers get around that?

Thanks.

They either try to bruteforce slowly enough not to trigger such delays.
Or they obtain the encrypted vaults or just the encrypted keys and bruteforce them offline (what seems to be happening with LastPass users)

Depending on the site’s implementation, and using an automated process:

1. They wait / work with the site’s rules to try the passwords
2. Distributed attacks to get around IP filtering
3. Different sites have different security setups. Some don’t have rate-limiting, some may not do IP filtering, some may not deal with distributed attacks. The site zxcvbn tests estimates unthrottled attack at 10 passwords/sec and throttled attack at 100/hour.

By the questions you get on different forums/reddits, though, on-line brute-forcing may be uncommon (for consumers). Best to stick with credential stuffings, or you know something more about the person and try their passwords.