Guessing passwords is harder, but possible. An attacker will use tools to brute-force common passwords, or if your usernames are email addresses, they might use social engineering to trick users into revealing their password.
