Eli5 how is aes encryption so secure if the passwords we use are relatively short and far easier to crack the the cipher itself?
Your password is only one piece of the puzzle. The password you use tells the system how to configure a key to fit the lock. If the key generation mechanism or the cipher key itself is safe from attacks your account should be safe.
the cipher security is independent of whether you use a 3 letter or 20 letter password. Your password length only secures your password from being guessed.
In instances where the key (cipher key) is available publicly your security is compromised
In instances where the user accesspoint is publicly available and your password is leaked, you are compromised
In instances where key generation algorithm is publicly available, you are compromised
In instances where there is a middleman snooping on your network, you are compromised
If the front end is hidden and your key is visible, you are compromised
In any instance where your encryption key is hidden, you are safe.
The password isn’t the encryption key. The password is used to access the encryption key. The cipher is considered secure because, if you have the cyphertext (and even if you assume the attacker knows that you used AES), it’s essentially impossible for them to figure out the key from that. That’s why keys need to be kept secret.
If they know you used a short/bad password and they have access to the key generator, then you’re right that it would be easy to brute force the password. But that’s really not AES’s fault, that’s bad key security.