I agree that the format of both should be hard to guess.
In the articl;e is the example of a bank account.
Strange thing here is in a smaller country the number of digits (of the ID) larger than in a larger country which makes the smaller country more safe. It's still just digits as well as the PIN (in both countries the same number [too few]) of digits.
For brute force techniques too little protection.
Password (later called PW) systems could make it more complex by allowing a greater variety in both the ID and the PW.
The dilemma remains that the systems that are hard to crack by definition become user unfriendly. The users need protection against themselves and be educated (or even forced) to make their credentials as hard as possible to become public.
Keep Up with TechRepublic