Quote Originally Posted by Zundfolge View Post
As much as I enjoy the XKCD cartoon (after all I posted it earlier in this thread) it doesn't take into account how actual hackers hack passwords. If they're going to "brute force" hack the password (that is just start throwing guesses en masse at the login) they tend to start out with a "commonly used passwords" list, then move to a dictionary, THEN run random characters.
But more commonly they'll look through your social media and compile a list of words that seem meaningful to you because most people use meaningful words as a password (for example my boss uses his wife's middle name plus their anniversary date for all his passwords).

No password is uncrackable, but actual words are slightly easier to guess. The strategy employed by the XKCD guy is long pass phrases of random words, which will work well against someone running a purely random brute force hack.
Most common user accounts are wide open after securing access to another database through exploits.

With most accounts getting locked out quickly after xx bad tries, brute force attacks on Joe blow's email or bank account isn't likely.

However, just one more reason to chose two (or if required 3) factor authentication methods where offered.