A passphrase isn't stronger than a password created using those rules - it's preferable if your strategy is to remember your passwords. The problem is that there are so many logins it's hard to keep track. So the temptation is to start reusing passphrases across sites which is the big no no because every site will be breached eventually, it's just a matter of time. And once your passphrase is compromised attackers will start credential stuffing on every other site of interest, looking for where you have reused it. Of course 2fa, hashing, salting, etc are better solutions but there you're putting your security in the hands of some unknown developers and hoping they know what they're doing. Security in depth is all about layers. Password managers aren't the perfect solution to the user layer, but for me they're the least worst option.

I’m not a security expert, but I have to agree with rob74. I was taught by a mentor that from a computational standpoint, all those typical ‘uppercase/ lowercase/ special character’ rules are worthless. The only thing that makes a password stronger is the length. Now from a human or social engineering standpoint they might make sense. It might make it less likely someone chooses something that could be found using a dictionary attack. But as far as a brute force attack or similar, my understanding is that length is all that matters. They types of characters used make no difference to an attacker trying to programmatically crack a password.

Brute forcing is just guessing what character is in each slot, so you start with aaaaa then try aaaab, etc. Using a passphrase means that there are 26 candidates. 52 if you mix upper and lower case. If you add numbers and special characters you go up to 95.

Your mentor is right in that length is the more important factor. The character set has a multiplying effect whereas the length has an exponential effect, so 11 lowercase letters is 26^11 combinations, a bit over half as many as 8 special chars (95^8).

It's worth noting that neither of those would be considered a "safe" password - 15 characters for only lowercase and 13 for a mix of all characters is the recommended minimum.

It makes less difference when you consider that the attacker doesn't know you're using a passphrase so will probably be checking for those extra characters anyway.

What does make a difference is that the passphrase is designed to be remembered but should be unique per login. So with 30+ logins you're remembering 30+ passphrases or might you be tempted to reuse some?

You can get the advantages of a passphrase with a password manager but the same is not true in reverse.

Thanks for the explanation!

what if the cracking tool has rainbow table of commonly used phrases, or combination of words used from dictionary. Length might not start to matter in such cases.

You're right that length is an important factor. Each bit doubles the possible options because there are two symbols (0 & 1). Generally, the possibilities are S^P where S is symbols, P is positions, and ^ raises S to the power P. Except you're not using bits, you're using characters so if you lop of symbols, uppercase, and numbers using only lower case you lose possibilities (reducing S). The number of symbols in printable ASCII is 95 but there are only 26 lowercase letters. See how that changes the number of possibilities:

26^1 = 26 : 26^2 = __676 : 26^3 = _17,576

95^1 = 95 : 95^2 = 9,025 : 95^3 = 857,375

You can see that allowing more characters greatly increases the impact of length.

Your mentor is partly right but your take away papers over the impact of the base.

The passphrase approach [0] is optimized for human memory and I would suggest that for your master password in a password manager but for generated passwords drawing from the greatest set of characters increases security.

[0] https://xkcd.com/936/

Thanks for the detailed explanation!