If the password is too short, an attacker can brute force the hash by simply trying all 6 character combinations of allowed password characters, provided that the hashes get leaked or hacked, which happens quite a lot these days. (Or if the website is stupid enough to allow an attacker to brute force try all these combinations without throttling you or stopping you at the xth wrong entry)
justinlardinois|9 years ago