A finding I made today was, if you were to use hydra to crack a SMTP email, the email account would generally be logged out and requires verification if he were to login his IM or email account. Which made me suspect what would happen if hydra actually gotten into the actual correct password but due to verification it would not show a success. What I did was I froze my account by sending thousands of invalid login to my email account via hydra. After that, I verified that I am not able to login to my email account, as it requires verification. Without entering the verification code or logging in, I continued hydra but with the correct password of mine this time. What I found out was hydra had successfully gotten my email’s password. My finding is that you do not need to be worried about verification code at all.