If I had a fridge full of fruit and I asked you to give me an orange, how long do you think it would take you?

3 seconds? 10 seconds? Maybe so long you just give up?

Brute force attacks are simply a matter of time, and often times systems have defenses in place to simply lockdown after so many attempts requiring the system to be unlocked.

Password entropy is effectively the chance that at any given moment your password will be guessed.

In the event of the orange that’s effectively a one character password that’s only lowercase.

The length matters more than the characters, but the mixing of characters does reduce the chance your password will be selected because the available options are much much larger.

As an example if my fridge was full of oranges, you would be very quick to pick one for me.

However if the fridge was full of a variety of oranges and I wanted a blood orange; you now have to dig around and find one for me.

This is what numbers & special characters do, they make it more unique.

This doesn’t always mean a better password though; mostly because humans are predictable.

For instance, my fridge might be full of oranges but I sorted them; so the blood oranges are all in the same spot.

Websites will often advertise their password requirements so hackers will just not attempt passwords that don’t conform. In short the added complexity is now largely gone.

Hackers don’t also just guess entirely randomly; they have tables of passwords and password hashes that they use, they sort/filter/etc. them and run those against a target.

Brute forcing is often a last ditch effort sorta situation; often times your password is just leaked and that’s how you are hacked or a security vulnerability in a system allows them access to data.