“Passwords are random, but not in the cryptographic sense of the term. We take passwords that an attacker would not think right away.”