Originally Posted by
gqZJzU4vusf0Z2,$d7
All the gimmicks mentioned for passphrases, are already used by crackers, and for which hashcat rule sets already exist.
Use long, random machine generated passwords ... Kinda like my username. Use Nothing from a dictionary. Among the passwords I have cracked using hashcat, my favorite stupid password: You w!ll n3v3r b3 abl3 t0 brut f0rc3 th!$ l3ngthy passw0rd!
Hashcat cracked it in the first 24 hours using an 8-GPU rig, street price: $4.80US
And thus the rationale for frequently changing passwords (and although not always emphasized, usernames as well) and not reusing passwords. Your suggestions certainly increase the security of a password, but given enough time, any encoded information can be deciphered. There is no 100% safe solution--only best practices.
Your post, though, does demonstrate that the tools for decryption continue to evolve, and the best practices from five years ago or 2013 or even last year may no longer be safe.