Cybersecurity

Why is there such an emphasis on strong passwords?
My understanding is that brute force or dictionary attacks are only possible when the attacker can test a large number of passwords in a reasonable amount of time. Modern Unix systems do not expose the encrypted passwords and have limits on how many passwords can be attempted so how can a weak password be exploited?

Al

One reason is that if someone steals the password file with all the encrypted passwords, it is easy to crack weak passwords. So, imagine a business with 20,000 customers and someone steals the password file. It would be easy for a criminal to run a brute force exploit (attack) against the encrypted passwords in the password file, and then subsequently compromise the accounts.

Also because many users pick really, really, really easy passwords, making a brute force search downright practical.

Picking easy passwords allows the use of a "common password dictionary", however, even this method requires the testing be done on the target system, as not all systems use the same algorithm or seed.
A 'simple' password of 8 characters made up of only lowercase letters and digits allows 2821109907456 possibilities, which at 1000 possibilities per second still requires 32615 days to test.

According to this quick wikipedia article on password strength (FWIW):

Given these two quotes above, jgt's example goes from 32615 days to test to 0.0116 days to test, or a bit more than 15 minutes (around 17 minutes, I think if my math was right).

Edit: Confirmed 16.79 minutes using a high end desktop computer in 2011 per the wikipedia number in the reference

That only matters when you've swiped someone's shadow file though. If they have to brute-force your login, most systems will slow down failed logins severely.