It’s probably not safe if they use that for everything. Someone could match emails and password suffixes, then they’d only have four letters to brute force. So all it takes is two leaks that your friend is on and he’s at real risk.

Generally, this would be avoided by whatever site storing their passwords as hashes instead of in plain text, but you can’t rely on that.

They should just use a password manager.