[miles]

Exactly. In a thread about "900gage!@#" being cracked in a few hours[1], this same discussion came up. It's worth reading for those who are wondering about passphrases vs. complex passwords.

[1] http://news.ycombinator.com/item?id=4545893

[Niten]

This is, again, not about a random password, as moxie explains in that thread. And as he continues, with regard to the comic: "I think that's totally on the right track, but if people start to do that, chances are that they'll start to create exploitable patterns again".

Any password cracker smart enough to exploit the patterns in "900gage!@#" is also smart enough to exploit the construction of an English language passphrase. The passphrase is still secure enough (probably), but it is not more secure than the random password. And if there is any one thing to take away from that thread, it should be that it's foolish to assume the obscurity of your passphrase's formulation gives you any extra security whatsoever.

[miles]

Thanks for your reply, Niten! Sorry, I didn't mean to imply that "900gage!@#" was random, but many people would (wrongly) consider it complex. Users who are not generating and storing random passwords (with KeePass or the like) may make safer password decisions when thinking in terms of a phrase rather than a "complex" word. Of course, they'd be far safer still by using a good password manager and long, truly random passwords.