hi devongirl, the reason for sites not allowing real words is it's very easy for a password that appears in any dictionary to be cracked. Hacker's are not guessing passwords one at a type, they use computer programs that take a list of millions of words, or common passwords that have been found in one of the major data breaches (linkedin.com, Sony, Adobe, Dropbox, to list a few) and recycle them. Of course, testing millions of passwords against a Web login (assuming it has been secured properly) will probably lock out after 5 attempts, which is useful. But if they get to the systems behind the websites then chances of finding all the real passwords are much higher. then because people typically reuse passwords across different sites, they would automatically have access to all those other sites too.
Does anyone here use 2-factor authentication? it's when a site will txt you a pin to your phone when logging in, which is really effective. big sites like Facebook, Google, banks tend to use them but sometimes they're not enabled unless you're aware of them and switch it on yourself!
btw just let me know if I'm not explaining clearly