Password has been with us almost since the dawn of multi-access systems. Although technology has undergone several revolutions in that time, this primary authentication mechanism is still the foundation – and also the weakest link – of digital security. In the public debate, ‘broken passwords’ are often referred to in the context of brilliant hackers and complex algorithms. However, the truth is much more prosaic and has a purely economic dimension. For security is not a binary state, but a moving boundary on the graph of attack profitability.
Mathematics versus reality, or the 10-mark trap
From the point of view of pure mathematics, modern standards for creating passwords seem impenetrable. Consider a classic example: A 10-character password using upper and lower case letters, numbers and special characters. The total number of possible combinations is about $5.4 \times 10^{19}$. Assuming that an attacker has the hardware capable of testing a billion attempts per second, it would take about 1,700 years to breach such a barrier by brute force.
On paper, this looks like a digital Fort Knox. In practice, however, this statistic is deeply misleading for business. The problem lies not in the mathematics, but in the human desire for simplification. The user, forced to remember dozens of accesses, rarely chooses a random sequence. Instead, he uses predictable patterns: an uppercase letter at the beginning, a few lowercase letters, the year of birth or current year, and the obligatory exclamation mark or question mark at the end.
Once an attacker limits the search field to these ‘human’ patterns, the space of possible combinations shrinks dramatically. With the current performance of GPUs, such a collection can be searched in minutes, not centuries. For a business leader, the conclusion is clear: security based on human memory is illusory security.
Industrial guessing scale
Modern cyberattack is not a craft, it is an automated industry. Advanced attackers do not test the entire key space; they test our habits. In doing so, they use three main tools that drastically reduce their operational costs:
- Rule-based dictionary attacks: They use databases of passwords leaked from other sites. Algorithms automatically impose rules on them (e.g. replacing ‘a’ with ‘@’, adding ‘2026’), allowing mass guessing of passwords deemed ‘unique’ by users.
- Rainbow Tables: Because systems do not store passwords in text form, but as their hashes, attackers use giant precompiled tables. If the password is simple or popular, it takes fractions of a second to find the original based on the hash.
- Hardware performance:The development of GPU technology, driven in 2026 by the demands of the AI sector, has paradoxically provided hackers with tools of unprecedented computing power. What a decade ago required a cluster of servers, today takes place on a single graphics card.
Low-Hanging Fruit strategy – the economics of cyber security
From a business perspective, the most important insight is that cybercrime is an ROI (return on investment) business. The hacker has specific resources at his disposal: time, computing power and budget. His goal is not to ‘crack password X’, but to ‘access data of value Y at minimum cost Z’.
In this context, the goal of cyber security in a company should not be mythical perfection, but to make an attack so difficult and unprofitable that the attacker will give up in favour of an easier target. In IT circles, this is called the strategy of avoiding being the ‘low-hanging fruit’.
From a market perspective, investing in cyber security is de facto managing the operational cost of an attacker. If implementing the right procedures makes the cost of an intrusion into our resources increase tenfold, we automatically eliminate 90% of potential threats whose budget cannot bear such an escalation.
New hygiene standard: Regaining control
Since we know that human predictability is the weakest link, the solution must be based on the systemic elimination of this factor. The contemporary model for a secure organisation in 2026 is based on three pillars
- Password managers as a corporate standard: The privilege (and burden) of employees designing their own passwords should be taken away. Managers generate strings of more than 20 characters with maximum entropy. Such passwords, unless leaked directly, are virtually unreadable with the current state of technology.
- Multi-factor authentication (MFA): This is the absolute foundation. Even if a password is guessed or stolen, MFA drastically reduces its market value. From a hacker’s point of view, having to overcome additional security (biometrics or a dongle) is an additional cost that often makes an attack unviable.
- Phrases instead of passwords: In cases where remembering a password is essential, the market trend is to move away from complex words in favour of long, random phrases (e.g. “four-blue-horses-eat-pizza”). These are easier for humans to remember and, due to the number of characters, extremely difficult to crack by trial and error.
Market insights for business leaders
The cyber insurance market is increasingly making premiums (or the ability to insure at all) contingent on the application of specific standards, such as mandatory MFA or zero-trust policies….
What is more, we are seeing an image shift. A company that falls victim to a leak because of simple, predictable passwords loses not only its data but, above all, its reputation as a professional partner. In the B2B world, where supply chain security is crucial, digital resilience is becoming a competitive advantage. The customer prefers to work with an entity that is ‘too expensive to attack’ rather than one that offers the lowest price at the expense of not having a password manager.
