Re: XKCD
> Actually breaking a password made up of a sentence containing several words is straightforward - random letters, numbers and non-alpha characters are much harder. Can't remember where I read that though...
It's probably good you can't remember where you read that because it is bad advice. Your password strength is log base2 of alphabet size to the power of the length of the password. Bigger is better.
For example, consider a 4 digit PIN for an ATM card. The alphabet size is 10 (0 through 9) and length is 4, so the strength is log2 of 10^4 = ~13 bits of entropy
If you jump to say a 10 character random password, we have to agree on the alphabet first. Say 26 lower case + 26 uppercase + 10 digits + 30 symbols (the ones I can easily type with my keyboard here) + 1 space = 93. log2 of 93^10 gives ~65 bits of entropy.
Now consider a password made up of 4 randomly selected words**. In this case, it is disingenious to consider the alphabet to be the same size as the random password (although in practice it would require the attacker to know that you didn't use such symbols). Let's assume they know your technique for the minute, and let's assume English only for simplicity, and lets assume you capitalise the first letter of each word. In this case your alphabet is about 350,000 and your length is the number of words you use. log2 of 350000^4 gives ~74 bits of entropy.
So RinseBubbleOvalBounce is ~500 times harder to crack than GV45#5kd3;
Both passwords offer excellent protection, but I know which one you would have to write down.
**Of course if the words are not chosen at random (eg a verse or quote or meme or something) then it will be no more secure.