Password-guessing attacks can regularly be executed regardless of the actual authentication protocol in place. Manual guessing is always possible, of course, and automated client software exists to do password guessing against the most used protocols.
Password-guessing attacks can be done via both manual and automated means. Manual password guessing is slow, but we find human intuition frequently defeats automated tools, especially when customized error pages are used in response to failed forms-based login attempts.
With an automated tool, a whole dictionary of username/password guesses can be thrown at an application much more quickly than human hands can type them. A basic search engine query will show that several of these dictionaries are widely available online, including tailored dictionaries that focus on certain kinds of applications, hardware, or devices.
There are two basic methods to automated password guessing: depth first and breadth first. Depth-first algorithms try all the password combinations for a username before trying the next username. This approach is likely to cause account lockout very quickly because hundreds of authentication attempts will be made against the same account in a short amount of time. Breadth-first algorithms try the combination of different usernames for the same password. Because the authentication attempts are not made consecutively against the same account, the breadth-first method is less likely to trigger an application’s account lockout mechanism.