[ZoFreX]

Have you ever used SwiftKey or Swype on Android? Vaguely the same principles apply here. It actually wouldn't be hard to generate passphrases where you try the most "predictable" phrases first. E.g. if you start your brute-forcing at "my cat" you would try "my cat likes" a long time before you tried "my cat algorithmically".

Also, 100,000 common words is a bit more than you would need. If people are plucking words from their heads, rather than rolling dice and picking from a list, you can assume a more limited corpus and still crack a lot of passwords.

[andyakb]

Nobody starts brute forcing at "mycat." Even if they somehow knew that's how it started, that barely helps them. They don't know how many other words there are, or what the next one is. Simply because it is more likely to be "my cat likes" does not mean it is now feasible to crack. Without social engineering, that password is not crackable for all practical purposes and is far from a terrible password.

[ZoFreX]

No, but we're talking about brute forcing billions of attempts per second, and we're not up against randomness, we're up against "the best pseudorandomness the human brain can muster", so the odds aren't 1 / <number of possibilities>. A password is severely weakened if it isn't sufficiently random.

[legutierr]

What Wordpress site can accept billions of login attempts per second?