Why Passwords Are So Weak
It is worth being honest about this from the start: most passwords are considerably weaker than the people who chose them believe, and the fault is not really theirs. Human beings, left to invent and remember passwords unaided, are remarkably predictable. We reach for names, dates, seasons, the company we work for, a favourite team, a keyboard pattern - and when a complexity rule demands a capital, a number, and a symbol, we satisfy it in the most predictable way imaginable: a capital at the front, an exclamation mark and a year at the end. "Summer2024!" passes almost every corporate policy and sits among the first few thousand guesses any attacker would try. A password that felt effortful to remember often carries far less genuine unpredictability than its length suggests.
Reuse makes this worse. The average person now juggles dozens of accounts, and without a password manager the only way to cope is to use the same handful of passwords everywhere. That means a password is rarely confined to your systems: if a member of your staff has reused one on a site that was later breached - and breaches are constant - then that password is, in effect, already public, sitting in one of the enormous credential dumps that circulate freely. The honest working assumption for anyone not using a password manager is that at least one of their passwords is already known to attackers. None of this reflects carelessness. It reflects the fact that human-chosen passwords are simply a weak mechanism being asked to do a job they were never well suited to.