What are your thoughts about this?
A password that uses
3 common words with spaces is much more secure than one with
special character, numbers, capital & small letter
I do not believe this is accurate and there are 'issues' with using it on a wide scale because MANY sites won't accept spaces. Also, brute force techniques always do a base line sweep of 'space' when sweeping through the potentials. Space-A, Space-!, Space-} etc. IMO, you need to be more worried about the NUMBER of characters as it is an unknown quantity in the sweep. Brute force mechanisms don't know if your password is 8, 10, 14, or even 30 characters which is why the number of characters add exponentially to the difficulty in solving the problem. A short set of random characters like “*K>#)0$j4” is NOT super secure, but a long string of memorable words like “billjamesisagoodguitarplayer” is actually stronger simply because of the length as an unknown modifier, password entropy: a representation of how much uncertainty there is in a password.
Anything under 16 characters should be considered risky 'today'. 16 should be the minimum.
Is 35t8@nz4 a good password? Not really. But %%%%%35t8@nz4%% is an absolutely phenomenal password just by virtue of the %'s being added to the front and back increasing the length and thus, substantially increasing the entropy.
Remember - a few key points, a funded, smart hacker will simply compromise the AD and expand laterally within the network utilizing methods to scoop up data from the compromised systems. Although we still see modern, well funded attackers phishing for passwords but not so commonly brute forcing. Also, what is strong today won't be tomorrow. Plan ahead. Techniques in use today should be factoring the coming age. Everything they can't compromise or hack is being 'stored' for a reason, eventually they know they will probably get into it. Use lengthy, strong entropy passwords and cascade encrypt, not necessarily for today, but for the safety of your loot tomorrow.