Bruteforcing is only really done with the password hashes in hand. Attacks on live systems are done with credential stuffing.