[dbbolton]

I think you're missing the point. I'm not arguing that passwords like "H$&v46S13^a" are actually better in practice than passwords like "TheCowSaysMoo". I'm providing one specific case where they are superior in terms of difficulty, i.e. the unlikely event of a directed dictionary attack, and a rough comparison of the level of security in that case as compared to a brute force attempt.

As far as "true randomness", it's irrelevant here since we are only counting permutations, meaning "Hello,2048" is just as difficult as "^6H9Ox#g`!" (i.e. their length and superset are both equivalent).

[danielbarla]

I think we're mostly on the same page, but still talking past each other. In my opinion, the only _reasonable_ way to compare the two password styles is in a practical way, taking into consideration human memory limitations. In that sense, the equivalent to an 11 character "random character" password is NOT an 11 character sentence. It would be more like a 5 or 6 word sentence due to the way your brain works. When you compare these, the pass phrases do win out, even for directed dictionary attacks.

Essentially, what I'm saying is that your brain seems to have better memory (or compression?) for sentences than random character jumbles, allowing you to use longer / stronger ones. Even when you consider dictionary attacks. Again, the original XKCD article is fairly objective and accurate; what's shown there IS a dictionary attack.