When creating a new password, GCHQ advise you #thinkrandom and choose "three random words" such as "coffeetrainfish" or "walltinshirt" to use as your password. This is terrible advice. The words coffee, train, fish, wall, tin and shirt all appear in the top 1500 most common English nouns.[1] As such, each word in GCHQ's proposed passwords contains approximately (LOG(1498,2) ≈) 10.55 bits of entropy and the whole password less than (3*LOG(1498,2) ≈) 31.65 bits of entropy.
How long would it take to brute force? A 31.65 bit password has (2^31.65 ≈) 3.36 billion possible combinations and can be assumed to be located halfway through that key space. In 1998 the Electronic Frontier Foundation built a machine capable of 90 billion guesses per second.[2] At this rate it'd take ((2^31.65/2)/(90*10^9) ≈) 0.019 seconds to crack a #thinkrandom password. Since 1998 computers have gotten faster so it'll likely be cracked faster than this.
#thinkrandom passwords are weak because GCHQ ask you to "think" and "choose" your password. Thinking will introduce unconscious bias into your password. For example, think of a random word. You will near certainly have chosen a concrete noun despite most words not being nouns. This bias is illustrated by GCHQ's own example passwords in which all of the 6 'random' words are concrete nouns. This is one of several biases introduced when you "think" and "choose" your password.
Length is another reason #thinkrandom passwords are weak. Three words isn't long enough.
The alternative to #thinkrandom is Diceware, a method of generating strong, memorable passphrases developed by Arnold Reinhold and since improved by the Electronic Frontier Foundation. It involves rolling physical dice to generate a string of 5 numbers between 1 and 6 that correlate to a word on a wordlist. To generate a Diceware passphrase:
At 90 billion guesses per second, it'd take (((6^5)^6/(2*90*10^9)/(1000*365.25*24*60*60) ≈) 39 millennia to crack a six-word Diceware passphrase compared to 0.019 seconds for a #thinkrandom password.