If we make a crude risk assessment, it is way more likely that her account will be randomly hacked by a botnet if she has "kitten4" as a password than someone actively stealing her purse to get her passwords. And if the notebook with passwords was stolen/lost, she would at least know it and be able to take preventive measures.
For most people, writing (good and unique) passwords down in a notepad is a way more secure system than having the same bad password for every account.
Having a botnet guessing the random "kitten4" password for a random user account, is as likely as having your purse stolen for the passwords on that note. FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication, even if you allow brute force attacks. Imperically speaking, obvisouly it's going to fail in the end but I hope you get my drift.
> FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication
This is very counter-intuitive. Is the idea that guessing both the username and the password together is much harder than guessing the password when you already know the username?
In the kitten4 example, I would guess most botnets are working from a list of usernames/email addresses that they got from leaks.
For most people, writing (good and unique) passwords down in a notepad is a way more secure system than having the same bad password for every account.