Passphrases have been known for a long time to be an easy way to create memorable, secure passwords. There are a couple of reasons they aren't used more widely, though:

- If password complexity requirements are enforced (because left to their own devices, most users would choose extremely insecure passwords), they typically prevent the use of such plain-text phrases without padding them with junk or using character substitution.

- Many systems have too short of length limits on passwords, either because they store passwords improperly (plain text, symmetric cipher), or because of the processing requirements of hashing longer passwords (DOS attack surface).

In the latter case it's a bit ironic that the same reason we choose hashing algorithms (harder to compute means harder to brute force without rainbow tables) is the same reason we can't have longer passwords.

Seems as if they simply went with a wrong assumption from the beginning, then disobeyed the venerable law, "When in a hole, first stop digging."

The whole thing could have been a lot easier.

Very interesting! 

Yea, too many sites try to force you to have mix caps and have numbers. It's very frustrating.

Create a nonsense phrase and sub one cap and one symbol and add a space or two. I use complete sentences. One such is twenty four characters long. The more there are the more difficult it will be to decipher.

Well, Shirley set me straight.

The stuff in the cartoon is true about brute force attacks (but now there are much more powerful processors),

Also, it wouldn't be much good against a dictionary attack.

Thanks, Shirley!

A lot of sites allow certain punctuation characters (as in they don't give you an error) when picking your password, don't specify it as being prohibited in the note for the password, but if you actually attempt to use that character in your password, cause an error that won't allow you to log in.  I had this issue actually with my password I used to sign up for my stardock account back in 2006, and a lot of other sites.  And, yeah, its very annoying how some sites limit the length of your password ... that can't be secure at all. :/

Healthcare.gov is bad as they force it on your username as well.

If you want really bad passwords, try the military.  1 One uppercase, one lowercase, one number that has to be in the middle, and one punctuation mark.  Folks got so fed up, and the threat of writing down the password so severe, that most folks just did I forgot my password.

Dictionary attacks are only effective against single words, common phrases/combinations, and simple character substitutions. The only scenario where they could be useful against a passphrase such as 'correcthorsebatterystaple' would be an offline, focused cracking attempt where the attacker already has reason to believe the hash they are trying to crack is such a phrase.

Extending the space to the whole of the English language, rather than just ~2000 common words, renders even that totally ineffective, because then the search space grows from powers of 2000 to powers of 200,000 (by extremely conservative definitions of 'word') or even millions. Again, that assumes the attacker even knows the password is made of English words.

So if you're making a password for nuclear missile launch controls and tell someone that the password is made entirely of common lowercase words, you probably have cause for concern.... but otherwise, a phrase like that is plenty good enough for most uses (assuming password rules allow it).

Unless you have a trivial password or an educated attacker, nobody is going to guess a login online unless the site doesn't implement any kind of lockout after X incorrect guesses. Online breaches are generally the result of social engineering first, malware second, and cracking a very distant third.

Realistically, the common scenario for password leaks these days is a database compromise (there have been a lot of high profile leaks since 2011 when that cartoon was made). In that case, the attackers are just going to crack the low-hanging-fruit (using mainly dictionary and min-length brute force attacks, less so pattern-based guessing) and just gather whatever information they can from the rest to use in other ways (spear phishing, etc.).

You probably have seen This Article from Ars Technica but in case anyone has missed it...

Article's title is: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Pretty interesting and kinda scary, but it's predicated on a server hack getting a list and cracking that list offline (which happens way too often these days...).

Understanding how the cracking attempts are constructed help create safer (not safe, but safer) passwords.

And while I'm here I'd like to thank the DrJBHL for all his helpful posts on this stuff, over the years!

And also on the hashes being unsalted and MD5, which are both worst practices.

The article would be a lot less interesting if the hashes were salted. Based on the hashing rates and times to cover given search spaces in the article, they took advantage of the lack of salt by comparing every guessed hash against the entire set, which is substantially easier and more productive than doing it individually.

With salt, the first pass that revealed all the <6 length passwords in two minutes would have taken a week or two instead. And the more sophisticated pattern-based attacks would have been totally infeasible without a lot more hardware.

Yes, but one of the the points in the article is that most people re-use passwords, so it only takes one bad apple (vendor whose poorly secured database gets compromised, or alternatively a malicious honeypot) to undermine your security on a whole host of websites.

Business Model:

1) Compromise password database for I.sell.socks.com, written by someone who thought they knew web security 10 years ago. Or, skip this step and buy one that's already compromised from any number of shady vendors.

2) Run password cracking tool of choice over the database.  Say you get 50% of them.

3) Select usernames from cracked set and begin searching for those usernames in forum posts/facebook/etc

4) When you find one that hits a web email provider, try to log in with that email and the cracked password.  

5) Search their inbox for whatever looks useful.  Banking emails, online bill payments, grandma's secret cookie recipe, etc.

6) Profit!

7) Go to jail once the feds catch up to you, maybe a year or two down the road.

I have an acquaintance who makes his living consulting on computer security issues.  We've had a number of conversations on this topic.  His practical take:

The law of diminishing returns applies to passphrase security, just as it does to most things.

Forcing password changes every 60-90 days is completely counterproductive and not 'safer' - in fact may compromise security by exposing passphrases to unauthorized others (e.g., writing them down somewhere).

A plain-language sentence of 10-12 characters or more that you can easily remember, without spaces, is as secure as any random-character passphrase; he picks a sentence from a favorite book.

Using the same such password for all your financial sites/transactions (anything you consider important or want to remain secure) is fine, provided you use a different password for all non-financial/non-commercial (unimportant) activity (email, Facebook, etc.).

He uses only two passphrases (important/unimportant) and may change them every year or two.

YMMV.