Brute force attempts to guess a password are basically useless against a properly designed authentication system. Websites lock people out after a few attempts, so generally in order to guess your password they need to have gotten the database of hashed and salted passwords first so that they can run all of the attempts on their local machine (websites don’t store your actual password- they put it through a one-way hash so that they can only verify that you are giving them the correct one without ever storing the password itself).

Even doing that, though, is extremely difficult if the passwords are just random characters. There are just far too many combinations.

So hackers don’t rely on that kind of “brute force” attack. What they do instead is rely on people having weak passwords, like “password”. There’s a commonly available list of passwords that people use, so they start with those and see if they can get into anyone’s account with them. By forcing people to use numbers and letters you make it much harder for people to wind up using the same few common passwords over and over again.

The actual difference between the number of combinations between 10 letters and 10 letters + numbers is almost beside the point. The real point is to disrupt the most common patterns people fall into so that a hacker can’t just take a list of 100 commonly used passwords and try them against your 100,000 users and rely on at least some of them having used “qwerty”.