So can someone tell me why this password wouldn't be secure?
"OnMondayMorningsILikeToWakeUpWithANiceGlassOfOrangeJuiceBeforeEatingMyTooast"
The only issue would be if this phrase is from a book or movie (potentially even one you are unaware of). That is why systems like diceware exist to create a truly random sequence of words.
Although brute force capabilities have come a long way, passwords consisting of 10 digits (all keyboard symbols) are beyond the brute force (see below before you complain) capabilities of most entities and 12 digits would be beyond the capabilities of nation states in most situations (i.e. no nation is going to expend a year of super computing time at a cost of $500B in order to break your facebook password
). If your a significant threat to a nation state and they would be willing to expend billions of dollars to attack you well you should probably push that out to 15 digits. For those who prefer dicewords that would be 5, 6, and 8 dicewords respectively.
However that assumes the attacker is just doing a pure brute force attack of all possible passwords. The reality is that beyond 9 digits it starts taking an increasingly incredible amount of time for each additional digits. So password crackers are going to try a variety of methods which are often much faster (even on much longer passwords).
1) Check the hash against databases of known compromised passwords (you can find on various sites lists of 15M+ previously leaked and broken passwords). If your passphrase is on that list your toast. Even some hobbyist with a single CPU can break it in a matter of minutes.
2) Check the hash against phrases from movies, books, memes, pop culture (no doubt Satoshi's genesis block quote is insecure).
3) Check the hash against a dictionary (possibly foreign languages as well).
4) A modified version of #3 is to take the same dictionary and perform derivations (which is why Troub@dor1 is a lot weaker than it may initially seem).
So having a long passphrase is good but it isn't a guarantee that the password is strong (unless it is random). To ensure it is strong it needs to not be breakable by the four methods above as well. I noticed in your example you wrote "Tooast" not "Toast". If that was intentionally then congratulations it ensured it probably isn't going to match any phrase search.
