Length is a far better defense than complexity

You can measure password complexity by measuring the [“bits of entropy”](https://en.wikipedia.org/wiki/Password_strength#Random_passwords) basically how many possible combinations there can be which determines how hard it is to guess from a database

Lower cases letters are 4.7 bits per letter so an 8 character lowercase only password (if you know its lowercase only) is only 37.6 bits hard

If you bump that up to using all available letters, numbers, and symbols then you get 6.555 bits per character so 52.4 bits. It seems like this should be a bit under twice as hard just by looking at 37 vs 52 but remember its bits here so 38 has twice as many combinations as 37 so its actually about 32,000x harder to guess (2^15) but adding all the symbols also makes it harder to remember

If you instead stick with lowercase only but go for a 12 character password you get 56.4 bits of difficulty without needing all the weird symbols that make it harder to remember

A catchphrase generally results in a simple but long password. CorrectHorseBatteryStaple is as strong as P4ssW0rd$ even if you know its basic words with capital letters at the front, and even stronger if you don’t.