That's what I'm thinking also. I don't understand how a computer can know if a password is partially correct. If that were true, a brute force attack on the following password could be cracked rather easily on the weakest of computers:

&*&*(89234897sdlkjehruipIIOPUE3R-708760340=-23-0-0978s-89234^&^234897^&^7@3

In other words, the computer would be able to know the correct first character and then move on to the next, etc. I'm almost certain it is NOT possible to crack a password this way.

By the way, again, it's always possible to criticize anything that is not "long and random". It would be helpful to propose an improvement on a password recall system if you see a notable weakness. Not everybody can have their password vault program/notebook with them at all times.

It depends on the type of attack.

If the attacker has extracted a hashed password table, a brute-force attack can run every combination of letters and numbers for a single password out to twelve or more characters lightning fast. Using this (dumb) method I could typically crack 500 passwords in an hour or two on my (underpowered) laptop. Using an AWS cluster or something similar, we could get the same job done in a second or two. This was legal, by the way, because I had written authorization from my customers to do it.

Using a good dictionary, we could cut the time by a factor of roughly ten -- instead of 120 minutes, maybe 12. "Correcthorsebatterystaple" passwords would fall quickly to this method. But we'd be back to the brute-force type of attack for a strong password like those I mentioned upthread.

Using rainbow hash tables, if we got hits we'd get the whole thing done in a few seconds.

If you're not working on extracted password hashes, but rather attacking via a user interface, things get much, much slower.

If there is access to the hashed password table, that's a completely different ballgame. As far as I'm concerned, that falls under the umbrella of "stealing a person's password". All bets are off at that point. It really doesn't matter how long or how random your password is.

I'm oversimplifying a little to keep from wiring a whole book

basically a dictionary attach we take a bunch of known words, we just break the password down smaller and attach smaller words. Say a 9 character password I search my dictionary I check for combinations of smaller words such as appletree, brownpony, applepony, browntree as well a 9 character words. Then since I've used a spellchecker dictionary I have the common misspellings so we check brownpnoy, applepnoy, etc. We also added the hacker speak to our dictionary so we look for br0wnp0ny, @pplep0ny, and of course we did the search replace against our whole spell checker dictionary so we got @ppl3pn0yand br0wnpn0y as well.

Basically I am disagreeing with the statement that simply making a password from four (or most any number) words make it much more secure because it does not. Adding random letters, numbers, punctuation, etc does make it a little more secure.

Usually when I need a password I'll go find a random password generator and I'll have it generate say 10 at a time then choose one or more and merge them. That way even if someone were sniffing the traffic at that instant they don't know which of the 10 I chose.

Why wouldn't you use a random password generator that is disconnected from the grid?

Non admin on work computer so I can't install anything there. Passwords at home I can do that.

I use an encrypted password database app that syncs with the desktop version of the same app on my home PC. It includes a random password generator, and I use it constantly.

The vast majority of password thefts come from stealing a hashed password table or compromising a workstation and either stealing passwords stored in a browser or sniffing keystrokes.

No amount of password complexity can help against any of those scenarios when faced with a determined attacker. However, most attackers aren't determined enough to crack long complex random passwords. If nothing else, such a password may give you time to find out about the breach and change your password before it's cracked.

For password attacks against user interfaces, long complex passwords are very effective.

Here's an interesting article that cleared some things up for me: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Based on the little reading I've done so far, it seems like the biggest risk is having the hashed passwords stolen from a compromised website which then allows the crackers to decrypt the passwords at their leisure.

The real test is to download and learn to use the password cracking tools. Then see how long it takes to crack the password your using.
Just be careful searching for those tools, don't use an unsecure browser like IE unless your doing it in a sandboxed VM as those sites also like to test your browser security