Yeah -- I assumed that a random hex password was chosen, and that the attacker does a brute force hex search (e.g. JtR with Incremental:LowerNum). Granted, in practice the attacker usually doesn't know the exact format, so they might waste additional time searching other formats.

I agree about incorporating other characters. As long as it's not "Dictionaryword1!" :) https://youtu.be/aHaBH4LqGsI