in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered
No, it's not secure because the following.
1. hackers have "hash dictionaries" with many common passwords pre-hashed which they can literally just ctrl+f (not literally) for things like "password1" salt helps, but the attacker likely has access to the salt as well. Remember they don't try to crack your password by repeatedly logging in, they steal the database that contains your hashed password and crack it at millions of attempts per second locally with no restriction.
2. Even if we were to assume that they were attempting to guess every possible combination of letters/numbers/special characters, it's 9 characters long, even if they started at "0" it wouldn't take more than a few days to crack it.
3. If they have access to a previous password in password change schemes, there is a good chance they can guess it outright. A guy whose password is "password7" probably had the password "password6" a few months ago and "password5" before that.
password restrictions are tricky because humans will behave in predictable patterns and the more restrictions you impose on someone, the more predictable the pattern will be. An unintuitive bad restriction is a very large minimum length. IF you require a password be at least 20 characters long, there is a good chance that most of your passwords will be exactly 20 characters long.
It sounds like you're talking about rainbow tables, where you precalculate hashes and store them so that you don't have to spend time cracking the hashes. But those take a really long time to create and, especially with salts, take up an enormous amount of space. With dictionary attacks, you have a list of possible passwords and you use a program to hash each word in the list and compare it to the hash you're trying to crack. ---
