Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)
Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login
