"Andrea Matwyshyn, a professor of law and computer science at Northeastern University, said that unless the owner or operator of a system specifically authorizes an attempt to guess a password, anyone who does so and enters that system could be charged under the CFAA. It wouldn't matter whether the password was obtained through insider knowledge or via a brute force attack, she said."
The Center for Internet and Society at Stanford Law School is a leader in the study of the law and policy around the Internet and other emerging technologies.