Security for Beginners
by Sergey Okinchuk
Authentication vs AuthorizationSomething You Know, Have, or Are
Topic 07

Passwords and Why They're Weak

Concept

A password is the oldest way to prove who you are online: a secret that only you are supposed to know. You type it in, the system checks it, and if it matches, the system trusts that you really are you.

The whole idea rests on one fragile assumption — that the secret stays secret. In practice it rarely does. Understanding why passwords are weak explains almost every account takeover Olivia could ever suffer.

Picture a house key. Now picture that Olivia made a copy of that one key and handed an identical copy to every shop she visits. The day any single shop is robbed, a working copy of her key is loose in the world — and it opens her front door. That is the trouble with passwords, and the rest of this page is really just that one picture in detail.

One leaked site, many open doors — how a reused password spreads
A shop is breachedOlivia's password leaks
Attacker tries it elsewhereemail · bank · other shops
Reused accounts opensame secret, same key

What a Password Really Is

A password is a shared secret. Olivia knows it, and the system she is logging into keeps a way to check it. As long as no one else learns it, only Olivia can prove she is Olivia.

That word shared is the catch. The secret is not held by Olivia alone — the system holds a check for it too, and Olivia has to type it out every time she logs in. Each place the secret travels, and each place it is stored, is one more place it could escape from.

So a password's security does not come from being clever. It comes entirely from staying unknown to everyone except its owner. The moment a second person learns it, it stops protecting anything.

Guessing and Brute Force

The most obvious attack on a secret is to guess it. Attackers do not sit and type guesses by hand, though. They run automated tools that test enormous lists of likely passwords — common words, names, birthdays, and the passwords people pick most often — at a speed no human could match.

Testing every possible combination until one works is called brute force. A short or common password falls almost instantly to this, because there are so few possibilities to try. A long, unusual one takes far longer, because the tool has vastly more guesses to grind through.

This is the one weakness that a stronger password actually fixes. Length and unpredictability buy real protection here — against guessing. The trouble is that guessing is not the attack that hurts most people.

Reuse and Leaks — the Real Killer

Companies get breached. Sooner or later a website Olivia uses suffers a break-in, and the attacker walks away with its stored passwords. This is a leak — a secret escaping not because it was guessed, but because the place keeping it was robbed.

On its own, one leaked password opens one account. The damage explodes because of reuse — using the same password on more than one site. When Olivia uses the same secret on a small shop and on her email, a breach at the shop hands the attacker a working key to her email too.

And attackers know to try. After a leak, they take the stolen passwords and feed them into the login pages of email providers, banks, and other shops, automatically, to see where else the same secret works. Every account Olivia reused now opens with one stolen copy. This is the most common road to a real account takeover.

Why "Just Pick a Strong Password" Isn't Enough

A strong password sounds like it should settle the matter. A strong password genuinely helps against guessing. But look at what it does not help against.

A strong password can't stop a site from being breached, and it can't un-leak a password once it's out — so a leaked password should be treated as burned, however complex it was. The real damage comes from reuse: if Olivia used that same password elsewhere, every one of those accounts is now exposed too. And there is a second way to lose it: a phishing page, a fake login screen built to look real, simply captures whatever Olivia types. A strong password typed into a fake page is handed straight to the attacker.

What a strong password fixes — and what it doesn't
Guessing
Strong password helps — more combinations means slower cracking
Data Leak
Strength can't prevent or undo a leak — and reuse spreads it to every account that shared the password
Phishing Page
Strong password doesn't help — the attacker receives it straight from you

So strength is one defense against one attack, not a cure. A password can be long, unique, and unguessable, and still be leaked or captured. That gap is exactly why the next topic asks for more than one kind of proof.

Common Confusions
  • "A complex password can't be stolen." Complexity stops guessing, not leaks or phishing. A long, unusual password that gets captured on a fake page or stolen in a breach is just as compromised as a simple one.
  • "Reusing a password is fine as long as it's a strong one." Reuse means one site's breach unlocks every other site that shares the secret — strong or not. Strength does nothing once the exact password is already in an attacker's hands.
  • "Hackers sit there typing guesses at the login box." Guessing is automated and usually run offline against stolen data, at millions of attempts. The slow, by-hand image badly underestimates how fast weak passwords fall.
Why It Matters
  • Reuse is the single most common road to account takeover — one leaked site quietly unlocks every account that shared the same password.
  • It explains why "just pick a strong password" is only half an answer: strength stops guessing but not leaks or phishing.
  • It sets up everything that follows — multi-factor login, password hashing, and why breaches matter — all of which exist because passwords alone are this fragile.

Knowledge Check

What makes a password able to prove who you are in the first place?

  • Only you are meant to know it
  • It is long enough to be hard to type
  • The website keeps a copy of it safely stored
  • It contains numbers and special symbols

Olivia uses the same password on a small shop and on her email. The shop is breached. What is the danger?

  • The leaked password opens her email account too
  • Nothing, because the password was strong
  • Only the email account could leak, never the shop
  • The attacker must still guess each account one by one

Which attack does picking a stronger password actually defend against?

  • Guessing, where tools test lists of common passwords
  • A leak, where a breached site's passwords are stolen
  • Phishing, where a fake page captures what you type
  • Reuse, where one password is shared across many sites

Why is "just pick a strong password" not the whole answer to account safety?

  • Strength stops guessing but not leaks or phishing
  • Because strong passwords are too long to ever type correctly
  • Because a strong password offers no protection of any kind
  • Because guessing is the one attack strength cannot slow down

You got correct