These serie of posts [ 1 , 2 ]  from SkullSecurity is really enlightening.

I understand that the main error here is using a small seed.  I am not an expert , but I understand that the number of possible passwords (the universe) directly depends on the used seed. Therefore, if we use 1,000,000 as a seed, we will have only have one million passwords, that can be easily pre-calculated (a pair of password, md5-hash) and used in an offline attack with John the Ripper.

The attack in the second post is fairly similar, but it ends up with a really small universe of only 15,993 possible passwords, due a really bad implementation, that even permits an easy and successful online attack.

The attack consists of grabbing  the HTML output corresponding of a failed login and then comparing the HTML output of each brute force attempt against it. It the md5sum does not match, the password is valid.