-
Because cartoons are the best source of security advice...
Bruce Schneier, on the other hand:
This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.
use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them.
NotThamesWater-
Yes, but my point remains that the VAST majority of people do not use a password manager.
For THOSE people who do use a single password everywhere, it is far better that it be longer than shorter, more complex than simple... but length is of higher importance than complexity... so if you're going to only do one thing, make your password long.
-
Bruce Schneier, on the other hand:
This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.
It's not a trick that depends on the password crackers not being "onto it", it's an algorithm that might output any one of 244 possible strings, all of which are reasonably easy for a person to memorise. See the comments on Bruce's article for details.
Velocio
Nick.Earthloop
There are three comics that tell you all you need to know:
One) Are all methods computers have to determine randomness correct?
Two) What does random even mean, as a lot algorithms to get random numbers are badly implemented?
Three) What is entropy, or "Why are longer simpler passwords harder to crack than shorter more complex passwords"?