Length.
Here’s a simple example.
Which of these passwords is more attack-resistant?
- &^567*=M
- barbell-farther-grocery-sans-bluster-voyageur
It’s the second one.
Why? Because the typical approach to compromising a password requires brute force: The testing of every possible combination of letters, numbers, and special characters. Or, the testing of common words from the dictionary. The more guesses, the longer it takes, the more secure.