Right now I use 15 character unique random alphanumeric passwords for everything, but what happens in 10 years when processors are powerful enough to brute force 15 character hashes? Do we start using 25 character hashes instead? Why is moving this increasingly infeasible line the correct solution when we should be investigating methods of authentication that do not require users to memorize long random strings?
Because increasing password length exponentially increases the amount of time it takes to crack it, while processor speed increases are linear. A 15 character passphrase that isn't a common phrase taken from a book or otherwise predictable (your kid's full name, for instance) is very secure, even more so if you mix case, add numbers, add symbols, or otherwise increase the number of guesses required for each character in the phrase.
Using zxcvbn as an estimator (one of the better strength estimators available): cracking a 14 character, all lowercase password like 'port star cows' through brute force takes something on the order of 10 years when working back from the hash. Capitalizing each word or adding a comma or a number takes the time to centuries. Part of this depends on the hashing algorithm used to create the password hashes - some are quicker to crack than others, and many companies still foolishly use those ones.
On the other hand, Will's example @1, 'c00k13', takes less than a fifth of a second, in part because it's an example of a technique that crackers like Hashcat explicitly check for - leetspeak replacement. What's more, his reply @10 is equally silly. Translating an obscure word from a foreign language into another language just gets you another, perhaps less-obscure, perhaps shorter word in a different foreign language, not more security. If you took "forest" and translated it into French, then German, then Spanish, and back into English, you (ideally) get 'forest' back and the password cracker doesn't need to know that you spent some time with Google Translate before entering 'forest.' And if you left it in German, you'd have 'wald,' which is a) not harder to guess because you started with 'forest' and b) much shorter than 'forest' and computationally much easier to crack. And finally, the dictionaries that password crackers use aren't the Oxford English Dictionary, they're collections of passwords that people have used in the past, which is a very different thing, and means that his 'pierogie3' suggestion is potentially extremely common, since people all over the world use computers, passwords, and the internet.
That's the point of the xkcd comic - length trumps complexity. Most password cracking these days is done working back from the hash using brute force, so increasing the number of guesses required is the way to go.
To illustrate the numbers: the search space for a password of one character that only accepts lowercase alphabetic characters is 26. So the maximum guesses required for a computer are 26. If the password is 2 characters long, the maximum guesses required is 702 (26*26 for a 2 character password, + 26 for a possible 1 character password - the cracker doesn't know the length of the password). If the password is 3 characters, it's 18,300. For 4 character,s it's 475,254. At 10 characters it's more than 146 trillion guesses. That's actually not huge - it only takes about 10 hours to crack that password using a moderately powerful setup. But when you get to 15 characters, it takes 555 years. If you're really worried, bitwise, add another character. That jumps you to 144 centuries. And that's with only lowercase characters. Source: Gibson
For most people, a tool like LastPass is a great way to ensure that you're secure. It means that no single security breach renders any of your other sites vulnerable, and it lets you generate passwords that aren't vulnerable to brute force approaches.