Choosing Secure Passwords
This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like ‘correcthorsebatterystaple’ -- is no longer good advice. The password crackers are on to this trick.
[…]
Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62% -- in a few hours. It’s the same sort of thing we saw in 2012, 2007, and earlier. If there’s any new news, it’s that this kind of thing is getting easier faster than people think.