XKCD hits one out of the park, yet again.
I’ve been pointing this principle out for years, but it seems like the people actually responsible for information security don’t seem to care, because they keep requiring people to use the “8-12 characters, at least 1 uppercase, 1 number or symbol” format like what’s shown in the first panel, rather than arbitrary length passphrases that are so much more secure.
END OF LINE