If an attacker already has a username/password (from a previous breach) but MFA is enabled, they can attempt to brute-force the 6-digit OTP while it is still valid (typically 30–300 seconds). With parallel requests, a significant success rate is possible if the system does not limit attempts.
Attackers rarely use the full 1,000,000-entry list. Instead, they use smart wordlists based on human psychology: 6 digit otp wordlist
The existence of these wordlists enables several attack vectors: If an attacker already has a username/password (from
| Countermeasure | Effect on Wordlist Attack | |----------------|---------------------------| | Rate limiting (e.g., 3 attempts per 30 seconds) | Renders full wordlist infeasible | | Account lockout after 5–10 failed OTP attempts | Blocks further tries for that user | | Short OTP validity (30–60 seconds) | Reduces brute-force window drastically | | CAPTCHA after N failures | Prevents automation | | Time-based OTP (TOTP) with 30-second windows | Even if code is guessed, it expires quickly | | Increasing delays (exponential backoff) | Slows down progressive guessing | | Monitor and block IPs making many attempts | Disables distributed brute-force | Instead, they use smart wordlists based on human
Without these, a 6-digit OTP wordlist is a serious threat.