-How plain is plain?
Plain enough that the checksum can be found through a reverse lookup (even with salts).
Most people assume password strength lies just in how long it would take to just brute-force the exact string.
exactly, they have a repositories of commonly used patterns, plus dictionary attacks.
they bruteforce passwords as a last resort.
to begin with, a lot of login protections block bruteforce by a very simple mean, maximum attempts and login intervals.