I was reminded the other day of the classic XKCD comic on password strength:
https://www.xkcd.com/936/
What struck me though is that this comic came out in 2011. That was seven years ago.
In all that time I've never seen a website allow, enforce, or recommend phrases of the format recommended by the comic.
I'm also taking a security course right now and the material also recommends longer phrase based passwords without special characters, numbers, or capitals.
So my question is:
What happened?
What I don't understand is if everyone working in security is recommending this approach why does no one actually support it?