Recently I read a blog that claims using long phrase-like passwords such as "this is fun" is much more secure than using cryptic but short passwords like "J4fS!2". And on the surface, it seems true. The tried and true method for cracking passwords is the brute-force method of trying every single possible combination of passwords. So it seems to make sense that a long 11 character password such as "this is fun" would naturally require a longer time to crack than a short 6 character password of "J4fS!2".

This is so not true.

The blogger makes an faulty assumption that brute-force crackers treat passwords as if it were a number combination lock. A number combination lock can be unlocked by trying every single possible number combination starting from 1, 2, 3, 4, .... 995, 996, 997, 998, 999 and so on.

In reality, a smart password cracking program would first try the most commonly used passwords first before resorting to every possible sequence of characters. And as a computational linguist, I know there are lots of open and publicly accessible databases/corpora for most commonly used phrases in all languages. These corpora are usually used for language-based applications such as speech recognition, text summarization and question answering, but an evil person can also use the same database to crack commonly used password phrases.