Strictly speaking it depends on your threat scenario but it is true for the very common case where an adversary gains hold of a database dump of passwords that have been hashed with a fast hash function.
First of all humans are not nearly as creative as they think they are. In the end it's always the equivalent of the key under the doormat, in the plant or under the stone next-by. Maybe windowsill, but that's it.
Secondly everyone can run an unbelievable amount of password candidates on consumer hardware at home. There are huge candidate files with all the passwords ever leaked and every word on Wikipedia and every song text and every book title and so on. For a fast hash you can run all of this in a couple of hours on usual hardware.
Thirdly, because of the way GPUs work you get variations like appending a number or leetspeak for free. The reason is that the limiting factor for fast hashes is the memory bandwidth between CPU and GPU. Essentially the GPU is bored while waiting for candidates so it can as well try some variations in the meantime.
Troy Hunt also wrote about this topic from a bit different angle: "The only secure password is the one you can’t remember"
First of all humans are not nearly as creative as they think they are. In the end it's always the equivalent of the key under the doormat, in the plant or under the stone next-by. Maybe windowsill, but that's it.
Secondly everyone can run an unbelievable amount of password candidates on consumer hardware at home. There are huge candidate files with all the passwords ever leaked and every word on Wikipedia and every song text and every book title and so on. For a fast hash you can run all of this in a couple of hours on usual hardware.
Thirdly, because of the way GPUs work you get variations like appending a number or leetspeak for free. The reason is that the limiting factor for fast hashes is the memory bandwidth between CPU and GPU. Essentially the GPU is bored while waiting for candidates so it can as well try some variations in the meantime.
Troy Hunt also wrote about this topic from a bit different angle: "The only secure password is the one you can’t remember"
https://www.troyhunt.com/only-secure-password-is-one-you-can...