GRC claims that "p@$$w0rd[[[[[[[[[[[[[[[" is much more secure than "p@$$w0rd". Simply extending the password length with bogus and easy to remember characters is said to be a much stronger password. In fact, taking all possible padding characters (2^6.5), all lengths between 0 and 31 padding chars (5 bits) and all positions  of the padding block within a 16 char password (2^4) you only gain 15 bits of entropy. But you can get 13 extra bits that by simply adding 2 random characters to your password, without bothering to count bogus padding chars.

He goes as far as claiming that "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9" based simply on the length. That's preposterous ! The first password has 36 bits of entropy while the second has 150 bits, assuming a cracker aware of the "technique". Presuming that you are smarter than the attacker is the road to security hell.


It's quite possible, depending on the algorithm used and the size of the attacker. The key-space for 9 characters is 6.37 x 10^17 so assuming it's a SHA256 salted hash then the current bitcoin mining network at 15THash/sec will exhaust the keyspace in 12 hours. The US government can probably do it in minutes. You could rent the current mining network for a small multiple of t 6*50BTC*5$ = 1500$/hour, assuming a market for cracking SHA256 hashes would exist.
To escape even the US government use a 16 character random password not generated by a human (no inter-character memory, characters are statistically independent). That is indeed hard to remember.


With the exception of "toaster" all words are in the top 100 by frequency. "toaster" is maybe in the core 10K vocabulary. There's no need to use 100K words dictionaries if most users don't use words like "Lymphocytopenia" or "Synecdoche". So 7*7+10 = 59 bits, hard but crackable see above. A non naive lexical cracker will not throw words randomly in a sentence and the rules of the English language would allow it to massively prune the search space.