It depends on the context, if I have a hash it’s trivial to crack dictionaryword29, if I’m brute forcing a VPN/RDP endpoint, generally fail2ban are hard enough to block mass attempts (an AD default, iirc), the latter is usually solved by phishing which has the added benefit of MFA capture also.

Pentester here, to clear any dubious assumptions.