No. It does not seem to me that three words would be sufficient. However, uncommon phrases are rather good, and even better when combined with special characters.
E.g.
$%Antonio the KiA2 (user is a giant faggot)
This is close to uncrackable using traditional methods. First of all, KiA2 is not going to be present in any passwords that are now known. Secondly, if by some chance all these characters are present in some dictionary used by the cracker, then the random special characters will make it exponentially more difficult anyway.
Of course it was. Adding a special character only increases complexity slightly by adding a few extra permutations to check for each character. Adding extra characters increases complexity by orders of magnitude.
Create a password that's twenty characters long but easy to type and remember and it will never get brute forced. The way passwords actually get popped isn't by brute force attempts to authenticate with every permutation anyway. Far more likely that you get popped by a keylogger or something that pulls the password hash from memory, or an authentication token getting intercepted. No one's getting into your account by guessing your password, that's old tech. Making passwords include a bunch of special characters is nothing more than security theater for the masses.
So the XKCD comic was right when it said you should use a long compound word like "horsebatterystapler" for a password?
No. It does not seem to me that three words would be sufficient. However, uncommon phrases are rather good, and even better when combined with special characters.
E.g.
$%Antonio the KiA2 (user is a giant faggot)
This is close to uncrackable using traditional methods. First of all, KiA2 is not going to be present in any passwords that are now known. Secondly, if by some chance all these characters are present in some dictionary used by the cracker, then the random special characters will make it exponentially more difficult anyway.
Of course it was. Adding a special character only increases complexity slightly by adding a few extra permutations to check for each character. Adding extra characters increases complexity by orders of magnitude.
Create a password that's twenty characters long but easy to type and remember and it will never get brute forced. The way passwords actually get popped isn't by brute force attempts to authenticate with every permutation anyway. Far more likely that you get popped by a keylogger or something that pulls the password hash from memory, or an authentication token getting intercepted. No one's getting into your account by guessing your password, that's old tech. Making passwords include a bunch of special characters is nothing more than security theater for the masses.
I'malumberjackandi'mokay,IsleepatnightandIworkallday.
^ Impenetrable.