If you use ONE word yes.

Ahhh. I thought they could just string words together during attacks. I had no idea adding words did that. So having a string means they'd have to brute force it like they would with a password made up of symbols, etc?

I imagine any decent dictionary will have added correcthorsebatterystaple to its list by now

You can still write a system that tests multiple words in the same passphrase, but you go from X million options (dictionary) to X time X, and thats just two words. And so on.

Brute forcing letter by letter, these two passwords are basically equiavlent

AppleBicycleStrudel
gdyYkoruaBwekcgheiO

But attempting to do the former, even if you know it's three words from English, with a dictionary attack will take far longer.

So given the two are as hard as each other using brute force, why not use the easier to remember one? Add a number somewhere, stick a bit of punctation on the ends, and that's about as strong as you can get without using a password safe and really long random strings.

(that is a simplification I admit, you can do a directed brute force if you suspect the words might be English by applying frequency count analysis to predict what letter is next)

But here's what I'm wondering(I don't know the ins and outs, this is just what my brain is thinking):

Taking applebicyclestrudel as the example, and assuming 170000 words in the English dictionary:

Being three words, that phrase should take... 170000^3 guesses? So 2.89x10^10 guesses

Brute forcing(a-z) applebicyclestrudel I think would take 26^19 guesses, so 7.66x10^26 guesses

As you've pointed out, even just adding the possibility of one or more capitals(a-z and A-Z) would then take 52^19 guesses, so 4x10^32 guesses

Seeing as the hackers have to decide which route to take beforehand(and that's even assuming what I've put up there is actually correct - trying to remember my probability stuff from uni!), even just capitalising dictionary words turns a straightforward password into a beastly one.

Mind you, I see all these websites with groovy meters telling you how strong your password is. Maybe they should have another meter telling you how likely you are to remember it

p.s. I'm not arguing, I'm just curious and also a bit bored at work but not bored enough to go Googling.

One of those groovy password meter sites reckons correcthorsebumstapler, or whatever it was, isn't that secure. Hmm.

Because as Randall points out, not many people who actually write those things have studied information theory and are just doing something like 'count how many capital letters and punctuation marks it has'.

I just use lastpass to generate something like Zp4HS14J and then get it to remember for me. If anyone ever cracks my lastpass password though I'd be in trouble.

Or you can think of a long easy to remember few sentences and take the first letter of each word, capitalising the start of the sentences and adding some numbers in for something. e.g. IwttzitSasaZwttbm5t - I went to the zoo in the Summer and saw a Zebra which tried to bite me 5 times.

There are posters up on the tube at the moment saying exactly that Charles (although they use Shakespeare quotes).

Tbontb will suddenly become the most popular password in London.

Just a heads up Xbox Live 2100 Points Card gone up from ?15 to ?19 now on play.com Wonder how much they've gone up in the shops.

I read that strings of words or a sentence itself is just as secure as random letters and numbers, since the cracker cannot distinguish the beginning of one word from the end of another. Just a shame websites and intranets don't recognise this as remember which of the dozen random selections applies to which connection is a fupping nightmare.

I hate Student Finance in particular because on that site you can only use a password once and I inevitably end up for getting which permutation works and have to reset it every single time.

Argos has them for ?18.49 might pick up one today just in case (inevitable?) they go up to ?22 or something.