The invention provides a website login brute force crack method and system capable of identifying a verification code. The method comprises the steps of 1, through static webpage analysis, extracting information required for website login; 2, through dynamic webpage analysis, intercepting a login data package submitted to a website server by a client browser; 3, reading a group of user names and passwords from a brute force crack dictionary; 4, obtaining a verification code picture; 5, identifying the obtained verification code picture; 6, filling corresponding parameters in the login data package intercepted in the step 2 with a verification code identification result as well as the user names and the passwords read in the step 3, and submitting the replaced login data package to the website server; and 7, analyzing a website server response, if it is prompted that the verification code is wrong, returning to the step 4; if it is prompted that the user name or the password is wrong, returning to the step 3; and if it is prompted that the login succeeds, recording the user name and the password by which the login succeeds. According to the method and system, a website with a verification code login function can be subjected to automated security testing.