Be cautious with what one takes away from this chart.
For example, it implies that "Password1!" would take 33,000 years to break, which is clearly not the true, given that it shows up in the top-10 list of nearly every "common passwords" list.
One also needs to question if they even believe their own results. Live on earth has existed for 300k years, yet they require 1,000,000k for green.
On the other hand, one can properly use it to learn that a password consisting solely of lowercase letters is equivalent in strength when 25% longer than a "complex" (upper/lower/digit/special) password.
The most important password advise I can give to my CISSP peers is that passwords can not be made "good enough" to protect anything sensitive. Instead, one needs to augment them with multi-factor, completely replace them newer technology (e.g. passkeys), and/or make login pages accessible only from protected/secure locations.
And, for as long as we need to put up with passwords, do read up on what NIST has to say in Appendix A of their Identity Guidelines.
You may want to be aware of this: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-manda... I will paste in the very beginning of it here:
The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.
NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.
Other recommendations include:
CSPs shall require passwords to be minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.
CSPs should allow passwords of a maximum of at least 64 characters.
CSPs should allow ASCII and Unicode characters to be included in passwords.
The National Cyber Security Centre recommends 3 random words:
https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words
This makes it relatively easy to set a 15 to 20 character password that you will remember.
@nkeaton the best advice I ever heard about passwords is that they should include as much randomization as possible when they are composed.
But that's something which is nearly impossible to scale for a single user, at least without using a password manager.
So when NIST first changed its guidelines in the 2010's (which discouraged complexity and promoted length), as @Steve-Wilme said, changing to passphrases with random words seemed like a very good solution. Random, unrelated words seems to scale a little easier for people who need a strong password in a pinch.
That's my two cents (which now costs six cents each to make).
The other thing to keep in mind is that where MFA cannot be deployed, longer passwords are beginning to be mandated, for example by the PCI SSC.
I watched an ISC2 webinar where Bruce Schneier broke into a computer with MFA/2FA in moments just using cookies. No password was needed. So we should never feel too secure.