> Sadly the "long passphrase" advice is also out of date. It relies on the naive idea that all password cracking is done brute-force, one character at a time.
I thought the point was that a increasing the length typically does more for you in terms of entropy than increasing the size of the alphabet.
> The tl;dr is that any strategy short of full randomness is wrong.
I don't know. You might want to have a password with some regularity to make it easier to remember (at the expense of being longer for a given entropy).
Adversaries will simply use common pass-phrase words as though they were part of a larger alphabet. Depending on the distribution/definition of "common", 2-4 word passphrases are then much worse than an 8 character password, for exactly the reason you state.
Asking because I really don't know:
How do they know that a given hash is multi-word passphrase versus average joe's single "word" character jumble?
If they flip to using words as part of their alphabet and I'm using 4 unique words, they still have a large search space because the English language has so many more words than the alphabet has letters.
So do they just do both? Seems like a huge expansion in computational work.
They might not know and might have to guess, or do both. This makes it harder for them, but it's hard to quantify how much harder, so it's reasonable to assume the worst case, i.e. that they do know the procedure with which you generated the password.
I thought the point was that a increasing the length typically does more for you in terms of entropy than increasing the size of the alphabet.
> The tl;dr is that any strategy short of full randomness is wrong.
I don't know. You might want to have a password with some regularity to make it easier to remember (at the expense of being longer for a given entropy).