/\/\|\||$z
IMO, the main factor is length. Once you got at least one of each (of course more symbols are better), length becomes most important since the attacker can not know the length. He has to start from low character count passwords and work his way up. (And I feel zxcvbn doesn't take that into account enough.)
https://www.grc.com/haystack.htmBut wouldn't something like “D0g” be in a dictionary, even with the 'o' being a zero?
Sure, it might be. But that doesn't matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn't know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
