Brute force hacking passwords is not the main way passwords are hacked. Ignoring social engineering and stealing/buying plaintext database files that are on the net, rule-based dictionary attacks are the most common form of password cracking used and crackers use GPUs to vastly increase the speed of testing possible passwords against their hashed versions that they get from leaked databases. The common GPU that most people have in their computers at home can make upwards of 4 billion hash checks a second and higher dollar GPUs can do 10 billion checks a second. On top of that, a decent cracker will have multiple good GPUs operating in parallel, giving them upwards of 50 billion or more checks per second. Keep that number of 50 billion attempts per second in mind when I talk about search spaces below.
A search space is the number of possible passwords that could need to be checked against the hashed version of the password that crackers are trying to break. To figure out how large the search space is take the number of possible options for each part of the password to the power of the number of parts in the password. For example take a PIN, you know that the PIN is composed of exactly four numbers, so the search space of a PIN is 10^4 (there are 10 possibilities for each number, 0-9, and 4 numbers total), meaning their are 10,000 possible PINs.
What a rule-based dictionary attack means is that a hacker sets up rules that instruct the computer in how to create possible passwords. The most basic rules are brute force-like things, such as trying each number, 0-9, then try two characters where each character is 0-9, then try three characters the same way, then four, then five, etc. The given example of '48621831179348621793' as a random string of numbers is not terrible due to its length (search space of 10^20 or 100,000,000,000,000,000,000 or 100 quintillion), but since you are using the shape method, a commonly known pattern, it is actually just five things from a very small pool '4862 1831 1793 4862 1793' (search space something like 20^5 or 3,200,000, which is tiny). It would take a cracker mere minutes to write a rule for that pattern or even less time to download a rule set that already includes it, and it wouldn't add more than a few milliseconds to the cracking attempt to check that space.
LEET speak substitution is so common that any cracker worth their salt is going to include rules in their set taking this into account, meaning that all those 3s for Es and @s for As or Os is nearly worthless and don't increase the search space by any meaningful amount. It is seriously a waste of time to do this substitution with your passwords, your time, not the crackers as they don't care since at worst it just adds maybe a few seconds to their cracking attempt run the rules that search these spaces.
The currently best strategy, if you aren't using a password manager that generates strong random passwords, is to choose four to six words to create what is known as a passphrase.
Once you are using a passphrase, you have to keep in mind the dictionary attack aspect that is used by crackers. Knowing that people use words in their passwords, crackers have long been using lists of words and letting the computer combine those words together in various ways, including rules to try the words on their own, then try the words with numbers and symbols replacing letters in the common substitution patterns, and various other simple to complex things. The kind of stuff that would take a human forever to do, but a computer, especially one that utilizing multiple GPUs, can do tens of billions of times a sec.
So, you can't just throw any words together for your passphrase. Let's use the example of four words, say 'persontimeworldhand', which seems strong because it is long, search space of 26^19 or 766,467,270,000,000,000,424,856,248 or... umm.. a whole freaking bunch. But, that is just an illusion, because no one is going to brute force that, trying every combination of letters until they happen to hit on the right ones.
Instead, the crackers use lists of words, say the 20,000 most common words, so the search space is 20,000 to the power of 4 (that is 160,000,000,000,000,000 or 160 quadrillion possible combinations). That, again, still seems like a large search space. However, all four of the words (person, time, world, and hand) are in the top 10 from wikipedia's list of most common nouns, meaning that the search space is only 10 to the 4th power (that is only 10,000). That is a trivially small number of combinations and would take no time to crack.
So, when choosing the words of your passphrase, you have to be a little more cunning, because the crackers damn sure are going to be doing so. Don't use actual phrases, 'icameisawiconquered' is probably in the crackers' dictionary. Don't choose common words, at least one or two of the words should be pretty uncommon, perhaps chosen from another language or even from a made up language like Klingon or Lord of the Rings (though the latter two, along with Harry Potter words, are probably relatively the most common options possible). Add a symbol or two into the mix. Don't put the symbols between the words and don't use a common substitution like LEET speak, just put a @ or _ or ! or whatever randomly into one or two of the words. The key is not to use a pattern that the crackers could write a rule for. The example 'persontimeworldhand', as said above, is pretty crackable, but '[email protected]
' is worlds better as it won't easily fit any logical substitution pattern or dictionary list.
The youtube channel Computerphile
has done several excellent videos on this topic and I highly recommend watching them. Computerphile - Password Choice
is a good place to start or if you only want the most relevant info to making a good password. If you want more in-depth info on how passwords are cracked with rule-based dictionary attacks, also check out Computerphile - Password Cracking
If you are implementing any system, web-based or otherwise, that requires you to get and store passwords from users, then READ THIS PAGE: Secure Salted Password Hashing - Doing it Right
. After you are done reading it, READ IT AGAIN! And continue reading it over and over until you fully understand the importance of handling passwords correctly and securely every time every where. Once you understand, use one of their offered algorithms to do your hashing (link to the algorithms on github for various coding languages is in the big red box at the top).
I hope this is helpful in explaining a few things and busting a few myths about what does and doesn't make a secure password or passphrase.