Image: A cesspit with an open iron gate.
You jump into the cesspit holding your nose as you swim towards the gate. As you reach the gate you try every possible combination, using 3 digits, until the lock says click. The gate opens and you enter into the lower part of the castle dungeon.
Attacks should be prevented from being able to obtain valid account credentials by using the application in an unintended manner. This includes credential cracking (identifying valid login credentials by trying different values for usernames and/or passwords) and credential stuffing (mass log in attempts used to verify the validity of stolen username/password pairs).
You may mistakingly assume that you don't need strong authentication due to the fact that the functionality is hidden, inaccessible or in this case, protected by a stinking cesspit, but a good hacker always find his way around these type of barriers.