"There’s a new way to make strong passwords, and it’s way easier... ...Now, a new standard is emerging for passwords, backed by a growing number of businesses and government agencies — to the relief of computer users everywhere. No longer must passwords be changed so often, or include an incomprehensible string of special characters. The new direction is one that champions less complexity in favor of length. Passwords that once looked like this: W@5hPo5t!, can now be this: mycatlikesreadinggarfieldinthewashingtonpost.... A series of studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness..." https://www.washingtonpost.com/news/the-switch/wp/2016/08/11/theres-a-new-way-to-make-strong-passwords-and-its-way-easier/?hpid=hp_rhp-more-top-stories_no-name:homepage/story I hope all website adminstrators read this. Much better than: "Passwords must be 6-9 characters in length and must include at least one capitalzed letter, a number, and another type of character such as "%". NB: I believe there are bruteforce algorithims based on dictionary words so maybe not such a great idea.
I'd really like to see the studies and see if their methodology is correct, because using a combination of words isn't very secure at all against a dictionary attack when this is done offline. I'd like to know how websites protect against this kind of attack. And not many people will remember a lenghthy combo of words anyway. Most have trouble remembering 2 or 3 words, imagine 10 or 12. Given that the "most used words on passwords" number is very small, an attacker wouldn't need to go very far to discover a password composed of only words. In fact, I'm positive that that's why a ton of people get hacked every year.
Will stick with my overly complex random passwords. I don't feel comfortable using passwords that use dictionary words or character substitutions with numbers and symbols. What I would like is a hardware key manager from a company like Yubikey that some of the features of a software key manager like keepass. For example, I like that keypass offers auto-type obfuscation. I'd be happy combining this feature with something like a Yubikey on a password like this: RimJ+.Xdo<8cwmv#A\q%lTw7'|EsZAM{xk3e~}}6sZ>1laN$YAL[(a#X#An1uub This in my opinion seems much more secure than simply relying on random or long passwords for security.
Similar discussion in this Lastpass blog post... https://blog.lastpass.com/2016/08/the-smart-way-to-create-passwords.html/