A password or its numerical form, sometimes called a passcode or PIN, is one of the simplest authentication methods. It is usually used with an identifier, as a shared secret between the person who wants access and the system that’s protected.
If it’s not encrypted, or if the encryption is easy to break, passwords and passcodes are vulnerable to eavesdropping and replay. And if it is encrypted, there are other attacks that are used. A brute force, or dictionary attack consists of an attack that just tries possibility after possibility until the right one is found. Utilities to help an attacker with this kind of attempt are easily found on the Internet. Short passwords, made of one simple word are the easiest to find with this kind of attack. So many administrators require pass phrases, complex combinations of word. Controls will also often require that numbers or special characters are used with the password or pass phrase, this makes it more random in nature and harder to guess.
In some environments, users must remember many complex passwords and pass phrases and end up writing them down near the computer. This becomes the vulnerability.