For this recipe, you will need the common_pass.txt wordlist from wfuzz:

• https://github.com/xmendez/wfuzz
  • Path: wordlists | other | common_pass.txt

Using OWASP Mutillidae II, we will determine whether the application provides information leakage based on the response time from forced logins.