A fully random 8 character password has about 10^14 brute force combinations (assuming upper and lower case + the normal special characters). 4 words choosen at random from the top 3000 words (which is a very small vocabulary really) is 10^13 dictionary attack combinations, add a single number or account for variations in word style (I.e maybe don't always use camel case) and you've matched the difficulty. If you use 5 words it's 10^17 combinations.

A password manager and a hard password is a better idea but there are cases where you can't use a password manager (like the password to said manager).

[–] Gradually_Adjusting@lemmy.ca 4 points 6 months ago (1 children)

I'm a basic little shit so, I basically use a correct horse + number password for my PW manager

[–] BudgetBandit@sh.itjust.works 7 points 6 months ago (1 children)

I use a whole sentence with a typo lol

Something like "On March the 3rd of 2012 my dog Billy ate 8€ worrth of schmeggles!“

[–] a_wild_mimic_appears@lemmy.dbzer0.com 6 points 6 months ago* (last edited 6 months ago)

Used beginning letters of the words in song verse sprinkled with special characters for the rythm, feels good while typing

[–] sloppy_diffuser@sh.itjust.works 1 points 6 months ago

I do a passphrase like the comic followed by 56 characters of gibberish using an https://onlykey.io/ (acts as a USB keyboard) that has a 10 digit pin (6 characters to choose from) and a kill switch pin (if I were ever forced to unlock it). I use this method for my disk encryption, main account login, and password manager.

I also use a https://www.themooltipass.com/ for vendor diversity (4 digit pin but all hex characters). I prefer the onlykey.

I rotate the gibberish monthly and the passphrase 2-3 times a year.

Once a year I change up the pin codes.

I figure that gives me enough entropy from brute force on all my systems with a balanced level of convienence and security. I literally don't know a single one of my passwords.