A credential brute force attack is one in which the attacker tries many passwords in the hope of eventually guessing the right one. If the attacker's wordlist dictionary is exhausted, the cracking tool can then try variations of the passwords by substituting numbers or special characters for letters. It can also simply try combinations of characters until the password is found. If the password is used to create an encryption key, the attacker could alternatively try to guess the key. An example of this is a Wi-Fi password that is used to create a hexadecimal-based numeric key. The user need not guess the original password, but rather use other ways to extract the key and use it to access the system. If the password is short, such as a 4-digit PIN, an automated tool could go through all possible combinations in minutes. The longer and more complex the password, the harder it will be to break. If it is not practical to try to crack the password, the attacker might instead steal the password hash and supply that in place of the password itself.

Note: For more information about password strength, visit https://howsecureismypassword.net/