The first thing to understand is that passwords aren’t usually guessed by trying through the website. Instead if a website gets hacked the list of all passwords will be downloaded. Now this password won’t be that useful as it’s all encrypted^1 but you know the way the encryption works so if you guess the password you can run the same algorithm on it and check that the garbled output you get matches the garbled password in the stolen list of passwords.

Guessing passwords with brute force is almost never used these days.

Instead attackers scrape already cracked real passwords from datasets of hacked websites in the past (the website might have been poorly built making it easy to get guess the password quickly) and use those to create a dictionary.

Rather than guessing aaaaaaa, then aaaaaab etc. they’ll first try every password in their dictionary of passwords, then try every password but replace i’s and L’s with 1’s, A’s with @’s etc. and try all those combinations. It’s still a lot to try but it’s way less than guessing every password with brute force, and it’s way faster as you’ll get the vast majority of the database of passwords in the first few runs through.

So the reason having numbers and letters and characters is important is not because it’s harder to brute force (although it IS), but because you want a password that’s never been used before and the more different types of characters you have the more likely whatever you choose will be novel.

^1 Yes I know it’s not actually encryption but hashing (and salting), but this is ELI5 and most people kinda get what encryption is so it works for this simplified explanation.