If you run a server that is accessible to anyone on the Internet, you should expect that many people and bots will attempt to break into the system, which is why you should ensure that all accounts have strong passwords. Many attackers will use a dictionary attack where they pair common account names, such as root, admin, administrator, etc. with every word in a dictionary. Or they may even pair a "name dictionary" with a dictionary for a particular language, such as English. Such dictionaries can be readily found on the Internet. Name dictionaries may be used by expectant parents looking for a name for their yet to be born child, but a malefactor may use such a dictionary as well as part of an attack against a system. E.g., an attacker may start with abe as a username and then try every word in an English language dictionary as a password. If he can't get in using abe as the user name, he might next try al, alan, ann, arthur, etc. going all the way up to names that start with the letter "z". Certainly pairing each name with every word in a dictionary would take an inordinate amount of time, if someone manually typed each username and password combination, but there is no need for an attacker to manually make guesses in an attempt to compromise a system. Instead, he can use a program that will read entries from dictionaries and submit them to the system under attack. A program can potentially submit thousands of guesses a minute if there is sufficient bandwidth between the attacking and attacked systems and sufficient CPU power on both systems. If you are responsible for a server, you are unlikely to want an attacker to have unlimited attempts to break into the system. The attacker will be using bandwidth to your server and system resources, such as CPU cycles, even if he never manages to break into the system. And, if even one user has a weak password, such as a dictionary word, sports team name, car name, etc., which may also be in a dictionary used for password guessing, granting an attacker unlimited attempts to try breaking in may result in the attacker being successful. One way to preclude an attacker from being able to submit an unlimited number of password guesses is with fail2ban.
[ More Info ]