Great! More passwords which mean nothing to me and so are even harder to remember. (Yes, I know, I don't have to use it.)I guess the idea is to then put these generated passwords into Keychain, so you only need to memorize one master password. Seeing that the password generator is a part of Keychain and all.
1Password makes this super easy. Not free but very effective.
https://agilebits.com/onepassword/mac
Best passwords - a string of words. Iwanderedlonelyasacloud. Tobeornottobe. Roundmanywesternislandshaveibeen.
Every password-breaking program is designed to deal with passwords that contain uper & lower case letters & numbers. Most people do things such as replace an o with a 0, or an i with a 1. F00tball, or something similar. Easy for software to crack.
Another vote for 1Password!+2
Those programs are based on a dictionary attack which assumes that the password is the same length as a real word. And even then, usually only an English word. Otherwise, it would have to examine every possible permutation of a string. And if it didn't know how long the string was it would be starting from scratch. For a 9-digit alphanumeric password, you're looking at over 14 million possible combinations. And it would most likely try every permutation of shorter strings before it attempted a 9-digit string. Considering that most financial websites will freeze access to your account after three failed attempts (at which point you would change your password anyway), anyone trying to parse your password will probably not be able to gain access before the sun goes nova. There are much easier ways for criminals to gain access to your accounts.
Your analysis of the problem is incorrect: the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data. For local access, passwords will only annoy the dumbest and most casual thieves anyway, unless you use encryption.
Not stupid capitalization and weird characters rules which makes passphrases difficult for people to remember and easy for computers to guess.
... the risk for online services is not brute forcing from the outside, but matching the hashes to leaked data.Another common problem is when finding any one password on a system can harm or inconvenience a great number of other users, for example by leading to misuse of an email system that causes all mail from that system to be blocked as likely spam. This happens at least once a month at my workplace, The weakness there is that a botnet can distribute its rapid-fire password guessing over a large number of accounts, without triggering login attempt limits on any one account. That and the fact that blocking access after a few wrong guesses is not always acceptable, since it allows "denial of service" mischief.