I want to be clear that what I’m about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.

A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I’ll get there.

A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.

From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.

Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.

So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person’s reputation at work if anyone got their company’s AD password file out without notice, as well as one’s security if their browser’s password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.