I have never understood why protecting a computer from harmful programs is so complicated. A computer just needs to disallow input of executable code from the internet. The operating system knows when executable code is input and made available for execution.
Hacking by the hacker getting passwords is a human thing. No operating system can protect from that.
Of course there’s no excuse for weak passwords.
An 8 character PASSWORD for Windows is weak!
In Unix systems it is a little better because of the hash that is used but not enough in my opinion.
A Windows NTLM 8 character password can be cracked in UNDER 6 HOURS!!! This was demonstrated on a cluster of computers with GPU graphics cards .... in 2012. The same capability can be built for less than $15,000 today. Heck, you can even RENT the system from a cloud provider. Many customers still use and support NTLM for backwards compatibility.
I recommend that everyone adopt a pass PHRASE. For example, "I love Denver!" is 14 characters and complex. If you really want to tighten things up, go with multi-factor authentication.
Remember, the login screen and password is the LAST line of defense. If that is compromised, there is very little left in terms of what can be done to protect the enterprise.
/soapbox
Problem is a computer has to run executables. Otherwise it’s useless, and if you’re going to allow executables, well you allow executables. Some of them might be bad. And in this modern world some of those executables are coming from the internet. Your method means there’s no Office365.