We use passwords every day to authenticate ourselves on user accounts when we shop, bank or use social media online. Passwords are great for software companies due to the fact they're cheap and easily scalable. Stronger forms of authentication, such as tokens or smart card readers issued by banks, cost money to develop, distribute and maintain.
The problem with passwords is that, as humans, we're not always good at creating strong combinations (and by strong, we mean not easily guessed) and then remembering it. For example, whilst a good password might be 'LD;kmd12-93diu9_UJF()$(Y', we're very unlikely to remember it, let alone type it in correctly!
Humans tend to use passwords that are easily remembered across multiple applications and websites. Why is this a risk? Well, as proven by the attack on Yahoo, where 1 BILLION user accounts were compromised, there is a chance an attacker could use credentials from one system to try to log on to other systems using the same details. When an e-mail account is compromised in this fashion, there is cause for concern. This is because many online providers will send you a password reset or reminder to your e-mail address, so even if we use strong passwords on those sites, if an attacker can access our e-mail they can reset all of our accounts.
How do passwords work? Different applications and systems process passwords differently, but there is a standard method which looks something like this: We enter our password when creating an account, for example, 'cheese'. (The provider should never store passwords in clear text, i.e. 'cheese'.) This is to prevent a rogue insider being able to see passwords upon gaining access to databases, and therefore potentially using those passwords to try and authenticate accounts on other systems using the information. So, what providers do is 'hash' the password. The system takes 'cheese' and uses a one-way function to turn it in to the following: 'fea0f1f6fede90bd0a925b4194deac11'.
'fea0f1f6fede90bd0a925b4194deac11' doesn't look like 'cheese'.
In fact, it should be very difficult for anyone, even with a super computer, to reverse 'fea0f1f6fede90bd0a925b4194deac11' back to 'cheese'.
The issue is that attackers can take a huge list of words (millions) including popular passwords such as '123456' or 'cheese' and then repeat the same function used above.
Therefore if an attacker has the value 'fea0f1f6fede90bd0a925b4194deac11' they can repeat a check for it using all of the words. This is referred to as a dictionary attack.