In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
I thought the use vocabulary lookup tables effectively nullifies the entropy benefits, if everyone started using phrases as password
Obligatory xkcd.
I don’t know enough to say how accurate the numbers are, but the sentiment stands - if it’s a password you’re memorizing, longer password will probably be better.
Assuming the attacker knows it’s a phrase: The english language alone apparently has some 800.000 words. 800.000^6 = 2*10^35 combinations in a dictionary attack. That’s comparable to 18 random ASCII characters. We might also be using a different language, or a combination of languages, or we might deliberately misspell words.
A long string of random characters will give you more combinations per password length, but there are some passwords you just need to be able to memorize, and I’d say that’s more likely with the 6 words.