Why should you avoid password guessing attacks in some contexts?

In pentesting, credibility and relevance of results depend on choosing techniques that fit the client’s environment and expectations. Password guessing can feel like a basic or toy attack to some stakeholders, so if it succeeds, they may not see the result as meaningful or reflective of real-world risk. That can lessen the perceived value of the engagement, making findings seem less credible or actionable even if passwords were indeed weak. The takeaway is to tailor tests to demonstrate genuine risk in the client’s context and present outcomes in a way that conveys realistic attacker behavior and impact. The other statements don’t hold universally: password guessing isn’t guaranteed to lock out all accounts, and its legality depends on authorization and jurisdiction rather than being inherently illegal everywhere. It also doesn’t necessarily reveal excessive information about password policies.