Of course it applies to any software, but some programs are more vulnerable than others. For example, when you want to have cryptography in your program, you use an established library, not write the algorithms yourself, because those libraries were written with security in mind (i.e. have protections against different kinds of attacks, for example, side channel attacks, in addition to being implemented properly). The whole point is to minimize the surface of attack, so that your system is more secure. And one way of doing so is to not give root permissions to programs that don't need it (such as text editors like nano).

Again, like I replied to the other comment, most of the programs you need root for are designed with security in mind and are inherently more secure and have less vulnerabilities than a non security focused program (that is not to say that it is impossible for a security program to have vulnerabilities -it certainly occurred before and keeps occurring- they just have a lot fewer). But even if you need root permissions for a non security focused program, you still shouldn't let any program have it, the whole point is to minimize the surface of attack.

What do you mean get root itself with a modified su? A program that has been run as a user cannot just get root permissions, that's called a privilege escalation attack and is a serious vulnerability in the kernel which gets fixed quickly when found.

Sure, but sudo is specifically designed with security in mind as a security program, whereas text editors are not (although I am more likely to trust vim than vscode). Running a malicious program as the user and not as root can help mitigate the impact it could do, even though it will still be able to do a lot as a user.

Congratulations, you've just invented digital images.

It's probably to protect against any potential security vulnerabilities in the text editor program itself, not to protect you from yourself.

Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.

True, there are a lot of english words, but the amount of common words is relatively small. Most people aren't going to choose a password like "MachicolationRemonstranceCircumambulationSchadenfreude", even if it were generated for them (which is unlikely).

Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).

There are also a lot of symbols when you count emojies and the entire Unicode standard.

Like someone else said on this thread; that's just security by obscurity, which is bad. Dictionary attacks will be one of the first (brute force related) attacks attackers will use because word passwords are incredibly popular (though admittedly of fewer words: VeryBigDog34 etc..), and relatively easy to do. I agree that having the password across different devices is somewhat of a challenge with a password manager, but not impossible. My very long and complex password is all down to muscle memory by this point, I couldn't tell you what it is from memory.

Also you shouldn't use the same password on multiple things and if you don't use a password manager you will need to memorize a lot of different passwords.

You can't compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).

The final threshold.