I keep seeing these charts that say 8 characters password can be brute forced in about a second, with more security if you add number, symbol, special characters. As a bilingual, how come we don’t add other language characters? And won’t most sites block your attempt if you are Bruteforcing. Many sites already lock you out after ‘suspicious attempts’ or have 2fa. I can’t even sign into my own password manager on another device while traveling even if I wanted to.
In: 0
As already mentioned, a bruteforce attack is not executed against a live system, it is against password data obtained through other ways. (system breach, stolen backups, rogue administrators, …)
These charts are a simplification and the main message is that the strength of your password will be significantly better (exponentially even) if you make it longer or include special characters.
The biggest reason for using MFA/2FA is to protect against credential stuffing attacks.
[https://owasp.org/www-community/attacks/Credential_stuffing](https://owasp.org/www-community/attacks/Credential_stuffing)
With cloud systems the username is often an email address, meaning the same user potentially has the same username everywhere.
Psychologically users also prefer using the same password everywhere. This means that if a password is compromised once, from any of these services, it could lead to a compromise on any other system if MFA/2FA isn’t used.
Here is a view on the size of the problem of databreaches, including leaked passwords: [https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity](https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity)
Latest Answers