That comic makes a good argument against the kinds of alphanumeric passwords most people naively come up with to match password policies, but the randomized ones that a password manager will give you are far stronger. Assuming 6 bits of entropy per character (equivalent to a choice of 64 characters) and a good source of randomness, a random 8-character password is stronger than “correct horse battery staple” (48 bits of entropy vs. ~44), and 10 characters (for 60 bits of entropy) blows it out of the water.
Of course, since you typically won’t be able to remember eight base64 characters for each of the fifty sites you need a password for, that makes the security of the entire system depend on that of the password manager or wherever else you’re storing your passwords. A mix of systems might work best in practice, and I’d recommend using two-factor authentication where it’s offered on anything you really need secured.
That comic makes a good argument against the kinds of alphanumeric passwords most people naively come up with to match password policies, but the randomized ones that a password manager will give you are far stronger. Assuming 6 bits of entropy per character (equivalent to a choice of 64 characters) and a good source of randomness, a random 8-character password is stronger than “correct horse battery staple” (48 bits of entropy vs. ~44), and 10 characters (for 60 bits of entropy) blows it out of the water.
Of course, since you typically won’t be able to remember eight base64 characters for each of the fifty sites you need a password for, that makes the security of the entire system depend on that of the password manager or wherever else you’re storing your passwords. A mix of systems might work best in practice, and I’d recommend using two-factor authentication where it’s offered on anything you really need secured.