Does anyone else find it super annoying with sites tell you what to use as your password? "You have to use a capital letter, at least 3 numbers, a symbol, it has to be 12 characters long, and it can't be one that you've used before." This type of attitudes leads to people writing down their passwords on paper and then getting hacked when someone finds it. As this password shows, not all passwords need to have all those things in order to be secure.
Its not going to be in a rainbow table nor will most attacks try anything of significant length. It may be easy to shoulder surf the password, but a typical attack probably won't succeed. That is unless the attacker has some way of guessing the length, but a hash will take care of that.
Passwords have to satisfy multiple security issues. Brute force by code is just one. Shoulder-surfing is another. A password like that is going to be incredibly weak as an observer might easily be able to detect it. Same thing goes with longer phrases if they're based on something well known or easily guessed.
Pure brute force is a bad metric, every 12 character password is equally good or bad by that standard. The problem is in how accessible the password is to faster, less random searches. I would think that anyone writing a cracker program would check for single or double character repetitions pretty early in their search.
> Pure brute force is a bad metric, every 12 character password is equally good or bad by that standard.
This is not entirely correct. If you had 12 q's in a row (or any 12 lower case letters) there would be 12^26 permutations that computer would have to check in order to guess it. Adding a capital Q would increase the number of permutations to 12^52. For each additional character set you throw in the mix, you would add the total number of those characters to the exponent part. Adding numbers would make it 12^62 etc. Not all 12 character passwords are created equal and some (like 12 numbers in a row) can quite possibly be brut forced.
I am not entirely familiar with modern day algorithms behind brut force attacks, but the math I described above is the theory behind them. I would imagine that it would have to be in some kind of ordered sequence so that you didn't miss any possibility and that your brut force time would average out (assuming infinite number of tries over rendom selection of passwords). It is, however, reasonable to assume that once the attack got part way though a word, that it would then try most common words etc. But assuming a random compilation of characters, sequential would be the most efficient over many number of tries.
Note: the above does not apply to brut force attacks that try most common passwords and other techniques that include human element. It's just math behind the algorithm.
Brute force is the only metric, unless you are able to guarantee some constraint on the password. I can check for common words first, and even for a single letter repeated, but ... why would I search for three different random characters early on in the brute-force, in preference to any other?
The thing about password entropy is that it doesn't matter how many special characters you have in your password, only that they are present because then the computer has more combinations to search through. For example, Foxtr0t! is just as secure as @e31z.P8, but much easier to remember. Helpful hint: long pass phrases are far more secure than random strings of letters and symbols, but easier to remember. thequickbrownfox would take around 5 million years to crack, compared to your example taking 87 years, which probably doesn't matter, but still a fun thought experiment
I think you misunderstand the relationship between password complexity, size of character set, and length. Consider:
Permutations = Charset size length
A 12 character password composed of just lowercase a-z is two orders of magnitude harder to crack than an 8 character one with lots of special characters in.
