gbryant Randomly generated passwords aren't really any more difficult for computers to guess than passwords made up of words - computers don't really care.
If we get down to the nitty gritty, it's all about entropy, and the keyspace. If we take the password
CorrectHorseBatteryStaple as an example, we're assuming that the criteria for our password is four English words.
There are just over 171000 words in the Oxford English dictionary, so each position in this password has let's say, 171000 possible values. With a password length of 4, this gives us 1710004 ≈ 8.55*1020 possible iterations, if we were to bruteforce.
Now let's take the second example:
8m#2sqa!nab. Here we're most likely using random ASCII/ANSI characters which are available on the user's keyboard. Just looking at my keyboard, I have 95 different characters to choose from, not including space or tab. With a password length of 11, this gives us 9511 ≈ 5.69*1021 possible combinations.
Alright, so with both of these examples, bruteforcing would be silly. An adept database admin would probably use a hashing algorithm like Scrypt, which the 2080ti is capable of hashing at just over 1.1 MH/s, so it would take up to 25 million years to bruteforce the first password.
Obviously, the human-readable password is much easier to remember, but ideally, requires the user to follow the same best practices. That is, having a different password for each website, changing passwords regularly, etc. So, in order for all these passwords to be memorable, they can't be random.
CorrectHorseBatteryStaple is easy enough to remember, because we've all seen the comic. This wouldn't necessarily be true for the 23rd website we've signed up to with a random string of words as the password. The passwords will end up having some sort of pattern to them, whether it's common words, or consistent grammar. A skilled cryptanalysist would be capable of exploiting this, and reducing the keyspace substantially. And let's face it, most people probably have a vocabluary much closer to 1000 words than 171000.
So overall, the only way for a human-readable password to really be semantically secure, is for it to be extremely long, or for it to be random, both of which kinda end up defeating the purpose of being easy to remember.
Now obviously, it's better to have a password like
<childsname><yearofbirth>, but it really doesn't address the main issue of bad password management practices. If you use a password manager, you don't even have to know what any of your passwords are, and make them so long that they would take multiple heat deaths to crack.
I hope what I wrote makes sense, I didn't really plan it out.