[doix]

When a 12 character gets bruteforced, my initial reaction is to blame the system for allowing so many password attempts!

Like imagine how many failed attempts must've happened for a 12 character password to get bruteforced. Alarms should have been raised way before it became an issue.

[brianpan]

The password doesn't get brute forced via an API. The threat model would be more like your salted and hashed passwords got exported and now they can be brute forced. A 12 character password in the DB can be brute forced in seconds or minutes. If your password is strong it will take years or millenia.

That's what haveibeenpwned.com is about. It tells you if your email is in one of these database lists out in the wild. If it is, assume your password will eventually be discovered.

[barkingcat]

what if it was a crappy 12 character password like 123456789012 and got bruteforced in 2 tries?

also, at one point it was popular to use l33t speak for passwords so there are many crappy 12+ char l33t passwords floating around that are trivial to guess, no brute forcing required.