But it's not the special characters that make the difference in this example password. It's the phrase. Systems typically match words, but not phrases.
The system can combine "water" "salt" "sugar". But combining as a phrase "water" "with" "salt" "and" "sugar" is more unlikely.
No, that's wrong. These are all regular English words found in every wordlist and cracked in minutes.
https://en.wikipedia.org/wiki/Dictionary_attackAs you said rightly, the systems normally check letter by letter.
No, I said the opposite. Letter-by-letter bruteforcing is probably dead for well over a decade now.
https://ieeexplore.ieee.org/document/4799025Therefore, it is more likely to pick up a combination of random letters than a sentence that is understood by a human.
Which do you think is easier for an automatic system to find:
"1McY1aGwc8jvFtA."
or
"My2YearOldCatLikesYoWalk."
Both are equally strong, but the second option is much more difficult to be recognized by an automatic system than the first.
That's entirely backwards. The second option is orders of magnitude easier to crack, since it is just 7 words and a number. As the sentence even makes semantic sense, some crackers should have an even easier time guessing that password.
Meanwhile the first option consists of 15 random characters, so wordlist-based attacks don't work and one would have to default back to the much slower / 'legacy' byte-by-byte bruteforcing approach.