Daylila
How cybersecurity works

Lesson 3 of 13

Why passwords are the weak link

Explain why most passwords fail, and what actually makes one strong.

01 · Learn · the idea

Here is a password that looks strong: P@ssw0rd!. Upper case, lower case, a number, a symbol — it ticks every box a website nags you about. A real attacker would crack it in well under a second. Meanwhile correct-horse-battery-staple, four plain words a child could read, would hold out for days against the same attacker. Something about the advice we have all been given is badly wrong, and untangling it tells you why the password is the weakest link in security.

Attackers don’t guess letter by letter

The first myth to drop: that a cracker sits there trying aaaaaa, aaaaab, aaaaac, grinding through every combination. They don’t start there. They start with what already works.

There are public lists of billions of real passwords, leaked from past breaches. A cracking tool tries those first. Then it tries dictionary words. Then dictionary words with the “clever” twists everyone uses — a capital at the front, a number at the end, a@, o0. P@ssw0rd! is not a random string to a cracker. It is “password” with the exact substitutions on the very first page of the rulebook. The complexity is theatre; the pattern is predictable, and predictable is the opposite of safe.

Genuine brute force — trying every possible combination — is the attacker’s last resort, the slow path used only when the fast paths fail. So a strong password is not one that ticks the symbol boxes. It is one with no pattern to find.

When guessing does happen, length wins

Suppose there is no pattern, and the attacker has to try combinations blindly. Now it becomes arithmetic, and the arithmetic is brutal in your favour — if you give it length.

Every character you add multiplies the number of possibilities. A 6-letter lowercase password has about 309 million combinations. Sounds huge. A modern cracking rig tests around 10 billion guesses a second, so it falls in a thirtieth of a second. Push to 8 lowercase letters and you get 209 billion combinations — about 20 seconds. Add symbols and mixed case to those 8 characters and you reach roughly 6.6 quadrillion — about a week.

Now try words instead. Pick four random, unrelated words from a list of about 7,776, and you have 7,776 multiplied by itself four times — roughly 3.7 quadrillion combinations, a few days to crack, and you can actually remember it. Make it five words and it jumps to about 90 years. Six words: over 700,000 years. Each extra word multiplies the difficulty by nearly eight thousand, and costs you nothing but a moment’s memory.

The lesson is stark. Twelve plain lowercase letters (about four months to crack) beat eight tortured mixed characters (about a week). Length beats symbol-soup, every time. You will feel this directly in the lab.

The two real killers: reuse and leaks

But raw guessing is not how most passwords actually fall. Two everyday habits do far more damage.

The first is reuse. Most people use the same password, or small variations, across many sites. So when one weak site is breached — and small sites are breached constantly — the attacker doesn’t just have that account. They take the leaked email and password and try them on your bank, your email, your shopping. This is called credential stuffing, and it works because the password was a master key, not a single lock.

The second is the leak itself. Once your exact password sits in a breach database, its strength is irrelevant. A 6-word masterpiece that has leaked is cracked in zero time, because nobody has to crack it — they already have it. Strength protects against guessing. It does nothing against a password that has simply been stolen and shared.

What actually makes a password strong

Put it together and the advice inverts. A strong password is long, unique to that one site, and unpredictable — not a short string of symbol theatre.

Long and unpredictable means a passphrase: several unrelated words. Unique means never reused, so one breach can’t open every other account. But nobody can remember a different long passphrase for a hundred sites — which is exactly what a password manager is for: it invents a long random password for each site and remembers them, so you only memorise one strong passphrase to open it. The hard problem — uniqueness at scale — gets handed to a tool.

On the whole

The password is the oldest and weakest form of proof, the “something you know” from the last lesson — and it carries far more weight than it can bear. It can be guessed if it’s predictable, stolen in a breach, reused into a master key, or simply phished out of you.

That fragility is not a flaw you can fully fix; it is the reason the rest of security exists. Knowing it, you stop performing complexity for the website’s meter and start doing the two things that matter — make it long and unique, and never lean your whole life on it alone. Which is precisely why the next lessons are about what happens when the password fails anyway, because sooner or later, for almost everyone, one does.

02 · Try · the lab

03 · Check · quick quiz

1. Why does 'P@ssw0rd!' fall in under a second despite having upper case, a number, and a symbol?

  • Symbols actually make passwords weaker
  • It's a dictionary word with the exact predictable substitutions crackers try first — the complexity is a pattern, not randomness
  • It's too short to be a real password
  • Websites secretly store it in plain text
Answer

It's a dictionary word with the exact predictable substitutions crackers try first — the complexity is a pattern, not randomness — Crackers start with known passwords and dictionary words plus common twists (capital first, number last, a→@, o→0). 'P@ssw0rd!' is 'password' run through page one of that rulebook. Predictable beats complex-looking every time.

2. Which of these is the strongest against blind guessing?

  • An 8-character password with mixed case, numbers, and symbols (~a week to crack)
  • 12 plain lowercase letters (~4 months to crack)
  • Five random unrelated words (~90 years to crack)
  • A 6-letter password with a symbol on the end
Answer

Five random unrelated words (~90 years to crack) — Each extra word multiplies the possibilities by nearly 8,000. Five words reach about 90 years, far past the 12-letter (~4 months) and the symbol-stuffed 8-character (~a week). Length and word-count beat symbol-soup.

3. You reuse one strong password across ten sites. A small forum you forgot about gets breached. What's the danger?

  • Nothing — your password was strong, so it's safe
  • Only the forum account is at risk
  • Attackers take the leaked email and password and try them on your bank, email, and shops — credential stuffing
  • The forum will reset all your other passwords for you
Answer

Attackers take the leaked email and password and try them on your bank, email, and shops — credential stuffing — Once a password leaks, its strength is irrelevant — nobody has to crack it. Reuse turns it into a master key: attackers replay the leaked pair across your other accounts. Uniqueness per site is what contains the damage.

4. Nobody can memorise a different long passphrase for a hundred sites. What solves the uniqueness problem?

  • Writing one clever password and reusing it everywhere
  • A password manager that generates and stores a unique long password per site, so you remember just one
  • Adding a different number to the end of the same base password
  • Changing all your passwords every week
Answer

A password manager that generates and stores a unique long password per site, so you remember just one — A password manager invents a unique strong password for every site and remembers them all, so you only memorise the one passphrase that opens it. The hard part — uniqueness at scale — is handed to a tool.