Passwords should never be reused between multiple websites. If a malicious actor figures out a password to one service, they may try that same username and password combination elsewhere.
Also, in the event that a database of usernames and hashed passwords is leaked, a complex password would take longer to figure out by a brute force attack, and wouldn’t appear in a precomputed table of hashed possible passwords (such rainbow table attacks can also be rendered useless by using individual “salts” per user.)
Blocking attempts after a few tries makes a brute force attack difficult.
Latest Answers