Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.
Exactly, any rule or technique you develop only doubles the attackers work/rainbow table, ie they test their search space once with the rule, and once without. So they simply use two computers instead of one.
Okay, but... To everything there is a point called a bit too far. If you do go with a really long mixed case alphanumeric password with garbage characters. you not only encourage, but basically force over half of the users to jot said password on a sticky note. ... And your Uber fortress gets hacked by the cleaning lady.
How random is random enough? If a popular phrase is used for a pass phrase, well that's reasonable to assume it won't last too long. But if the phrase used is some comic line your grandfather quipped at a family event one time that's not so predictable.
Now it has been mentioned that common/popular/most likely work combinations both can and are used in many of the (let's say...) High-end Rainbow Tables. Okay, but what about word fragments used as a mnemonic for the string? Here's an example:
A popular phrase and long standing joke around our house, is a quote of mine that was originally said when I was trying to lighten the mood when an auto repair was going quite badly. The quote was "We Are Not Totally F***ed ...Yet!"
So if I was to use that (which I don't), for a mnemonic it would go something like this:We
ot Totally F
Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.
Here's the thing, and it's a very critical and key point. Who is cracking what, and why. Lets say it's HacKeRtasTic group X. and they are digging into Evil Bank Y.
Now they got into Evil Bank Y's server and dumped the user tables (yada, yada, yada...) ... And they want to get (lets say) 10,000 user accounts to post online to shame Evil Bank Y, And they also have an order for 10,000 more accounts for the ID theft folks...For a total order of 20,000 accounts needed, out of the (lets say) 100,000 accounts the bank has.
Now regardless of what can be done (even in an evil geek's wet dream) there are still some things that are just flat not cost effective. The tables are going to instantly pop on the first wave of (low-hanging-fruit) idiot simple passwords. Then the harder ones, and the harder ones ... And after a while the CPU time (cost) vs. the Cracked Hash (win) is going to skew...a lot. And that will most likely happen long after the "Order Requirement" of 20,000 accounts have been passed by a country mile.
Besides even if you do manage to memorize a 8,000 character password ... If they
really want you
specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...