Multiword Passwords Secure Or Not?

Gaygirlie writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"

Re:Obligatory xkcd

[micheas]

Pulling one example, I was asked to see if I could recover the password on pdf to allow editing. IIRC, the cypher was 256 bit AES. When trying to find the password to edit a pdf, my really ancient dual core athlon64 took under 2 minutes to try every unique word in the OED.

The password of the pdf (which was sanfrancisco2) took me about 15 minutes to find using standard password dictionaries. Theoretically, a 13 character password with a number in it should take an insanely long time to crack, reality was well under an hour.

my strange variation

[way2trivial]

For myself, I have three phrase+number complex passwords which I use, one for financial sites, (online banking, amazon, anywhere I shop & my plastic is stored) one for places I expect to use regularly (such as slashdot) and one for trash sites where I gotta register for whatever it is I want, but don't likely expect to be back. The variant thing is, I have my own domain with a catchall address (similar to gmails + system) and for all domains I use the domain name plus my @domain.com

assuming the method show in the cartoon was automated checking of the password email + combo-- it'll fail because I wouldn't use the same email address at ANY website.