It's even better when you consider you can actually get someone tech averse to actually use a complex passphrase. For a password they will just use two words and a birth year, slap them together, maybe add an exclamation to the end of required, and call it a day. I'll take a four word passphrase over a two word two digit one special character passphrase any day.

@@TheEclecticDyslexic And then stupid websites won't just let you use a few words. You have to throw in a capital, numeral, and special character. My go-to is to capitalize the first letter, then add a 1! at the end. So much for improving security...

Memorization of passwords in general is _not_ a benefit. No-one should ever even know the passwords they are submitting when logging in. With a password manager, there is never a need to know your account passwords. Now, granted: remembering the master password to your password manager is pretty darn'd essential! So, using this technique for that one password is indeed a reasonable proposition. But if you are aiming for a mechanism to help you remember dozens of passwords for dozens of websites or accounts, you are barking up the wrong tree: it's the wrong goal in the first place. The right goal should be to use randomly-generated 20+ character passwords that are unique per site/account ...and which you simply do not personally know and don't even need to remember. KeepassXC for the world!

​@dizwell I work in IT and need to be able to enter my administrative passwords on any computer in any department at the office. Even if I have a password manager on my phone, it is very difficult to copy a random 20-character password from my phone to the computer.

​@@tasmanwinchcombe9774 Er, I work in IT too. One of the more serious Oracle DBAs on the planet at one time, in fact. And there are **no** circumstances in which remembering administrative passwords is appropriate. SSH remotely to anything serious and your password manager is on your local PC. If physically visiting the rack is necessary, then a minute spent laboriously copying the password off your phone is no real inconvenience at all. It is also possible to create a non-privileged account with a correct-horse style password on the server you keep having to visit that runs nothing but a password manager. You log into that account that gets you nothing but access to the password manager. You then supply a complex (but standard) password and a unique keyfile from a USB stick to make the local password manager unlock correctly, get the password you actually want from there and use su to then gain administrative access to that machine. There are various other approaches that could be taken too, of course. What you are actually saying is that there is always a trade-off between security and convenience... and this is 100% true. You, however, appear to think that being an IT administrator means it's OK to opt for the convenience side of that equation. I don't, and I don't think it's ever appropriate (or necessary) to do so. Normal users whose most important secret is a $200 bank account: fine, I'll make allowances. IT professionals? Nope. It would be dismissal for gross negligence if you ever tried that in any workplace I was running, put it that way. What the fine video neglected to point out, too, is that it is trivial to construct databases containing the text of the entire Bible, the OED, the entire Project Gutenberg archive, the whole of Wikipedia and every single national newspaper article published in the last couple of decades, plus more. That gives you a *huge* wordlist to use as a crowbar. In 2013, a 4-Radeon 7950 set up costing $800 could guess 30 *b*illion word combinations _per second._ Including mucking about with capitalisation, inserting odd characters into the middle of things, and so on. Search Google for "Ars Technica How the Bible and KZfaq are fueling the next frontier of password cracking" for a good article on the subject, note that it was published in 2013 and then consider how much more powerful graphics card parallel processing has become since then. The password "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" was guessed within moments because it happens to be a phrase from the H. P. Lovecraft short story "The Call of Cthulhu" and was included in a Wikipedia article on the man. Humans being human, they won't _really_ select four random words from the dictionary, but will instead pick things like "Harry Potter and the Deathly Hallows" or "A Little Piece Of Heaven": trivially guessable, no matter what mangling, re-capitalisation or number insertions take place in an attempt to obscure it. In short, and being deliberately blunt about it, because it's an important subject: If you are relying on this technique outside of a purely domestic situation, you are doing it wrong. Period.

Mostly... This can become a real hassle when logging into apps on your tv or e-reader, for example 😁. Keeping things somewhat typeable might make sense

I'm in the process of changing all of my passwords to a combination of "4 random words" and high strength passwords (20+ letters [random capitals], numbers and special characters. I keep an Excel list with multiple backups and update it whenever I change passwords. And yes! I save it password protected with a more memorable password. I save it as something unrelated (obviously not "passwords"), hide the sheet and leave a bog standard spreadsheet visible.

@@ianl1052 Better use a dedicated password manager. Excel's password protection is... well let's call it: in dire need of improvement. Also, a real password manager will do the copy-and-pasting for you and it will also create truly random password (if you create passwords manually they usually aren't; humans are very bad at being random).

@@stephanweinberger You mean like LastPass who got hacked?!?

@@ianl1052 no, since we are comparing it to an Excel-sheet I of course mean locally installed programs (like e.g. Keepass or Enpass), not cloud solutions.

Klingon passphrases! qa'wI' may'morgh!

You are not supposed to pick the words. Though any language is fine (adjust for number of words).

Ka pla

which has zero impact on brute forcing time.

"Poppycock!", I say...as a password word?

The main problem is places with strict password limits like banking software which didn't (and still don't) allow you to just add more words.

Many so-called security systems have no clue about what makes a password strong. I use a password manager that will generate a 20-character password from the alphanumerical set (i.e. 62 characters) giving 7 x 10^35 possibilities. I restrict it to that base because I sometimes have to type a password into a field manually on my phone, and I make too many mistakes when shifting to symbols on the pop-up keyboard. However, some sites reject my 20-character password as "too weak" because it has no special characters, although they will happily let me use Password123! which they deem "strong". I could train chimps to produce better algorithms.

Wow… I thought I had written this comment! Your ‘password’ algorithm’ is EXTREMELY similar to mine! My previous life was spent in some seriously hairy mathamatics, and deep statistical analysis showed me the usefulness of this general method. (My Father was a mathematician (he also taught graduate & post-graduate), so he helped with some of the more esoteric stuff) One thing I figured out in the intervening years is that ‘security question’ type security does NOT have to be a answered ‘honestly’ nor ‘correctly’. My answers to “Mother’s Maiden Name” or “Favorite Food” have NOTHING to do with Mom or Apple Pie. I view it as ‘an answer’ to a ‘question’, NOT THE CORRECT answer to a ‘specific’ question. I also use ‘phrases’ from songs or sayings or speeches, etc as ‘passwords’ or ‘pass phrases’. “Four Score and Twenty Years Ago” “I’ve Seen It Raining Fire In The Sky” “To Be, Or Not To Be’ “Fish Or Cut Bait” “Jump Down, Turn Around” Etc and etc, combine to form ridiculously long pass-phrases for pass-keys. Use character substitutions e.g. $=s 1=l 3=e 0=o Don’t use your birthday, or anyone’s else for that matter. Use the year and month you had your first fender-bender, for example, or when you got your first kiss, make it YOURS, but extremely unlikely to be in any database, but that are memorable to YOU.

CORRECT!!! 🙂

One problem is that websites (for example a bank) occasionally require that you change the password. Have you figured out a way to handle that idocy?

@@chuckgrigsby9664 The only reason to change a password is if it has been compromised. In other words, the bank is worried that its password database is likely to be stolen. I'd point that out to them, and ask that if they have no confidence in their security systems, why should you? Of course that assumes that nobody ever reuses passwords, because if one site is compromised, it compromises our account on every other site where we reuse the password. But that's very much within our own control.

@@rationalbushcraft That's the real issue, both with passphrases and traditional passwords. Humans are very bad at choosing random things. It's almost always better to let your computer generate your password. There are programs that can generate passphrases too (or you can use something like Diceware, where you roll 5 dice and then look up the corresponding word in their word list).

I just use a password manager for my 32 random characters. It rolls the 32 random characters too.

Yes. This video missed the point completely. Which is odd as it's shown explicitly in the cartoon, with illustrations.

@@JaimeWarlock Agreed. I then use this random word technique as the master password for the password manager. It is really secure even if someone has physical access to the device.

@@misterrichardc yet you pretend thats something most or even 1 percent of people will do? this is as dumb argument

Incremental passwords are often used for websites and computer systems that require passwords to be changed every 90 or 180 days and won't let you reuse any of your previous 10-12 passwords. That makes it very difficult to memorize the password so you have to write it down.

Our IT people decided that everyone needed to adhere to a very Draconian password protocol, including having to change your passwords every 30 days. The result was that EVERYONE (including the IT folks) had their passwords written on post-it notes. So, the search for ironclad security resulted in zero security.

Lol I have mine written down in actual paper. I may forget where it is, but it's not possible to hack... yet. Lol. I also don't put all of the information in place, instead using shorthand. I don't need to use my email if it's my username, so a rando who got ahold of the paper wouldn't know where to begin

German is good for that. It's common practice to join nouns for example "Donaudampfschiffahrtselektrizitätenhauptbetriebswerkbauunterbeamtengesellschaft". I'm not kidding. That's actually one word. Copy and paste it into Google if you don't believe me. Just don't use it as a password now!!!

Adding a typo through the random addition of one single character, and using a proper word list spanning the Oxford English dictionary gives you a dictionary size of over 600,000x26x6 over 90 million. Just use a good word list and add one typo, you will be all good. Edit: I haven't done all the math to check, but I don't think you should have to worry about more than say half the typoed words to collide. So call it 45 million dictionary size for good measure. That will get you the same complexity as completely randomly capitalized letters.

No. Those things make it harder to remember and therefore worse. I suggest looking at the original xkcd cartoon, it's very clear about what it's saying.

@@chaos.corner Yeah I guess spelling mistakes can be hard to remember unless you do that mistake literally all the time. But the other if they are words you use I don't think they are harder to remember. 5% of the world is native english speaker. 15% knows english. for 95% of english speaker not using english is easy. for 10% of the world using english + another language is easy. And if you are in the subgroup of the english speakers that only know the english dictionnary, and absolutely no slang, foreign language, local expression or memes. You can probably also mix in names (not in the dictionary) Still too hard ?

@@glorrin Thing is, you are not supposed to choose the password, that reduces the entropy. People use a lot fewer words than they know and even words you don't know could work if you can remember them (and you know them after that anyway). Again, I recommend reading the cartoon because it really explains it better and fully. (I do have issues with the cartoon but this guy has made a hash of explaining what it's getting at).

A bigger problem is that a lot of server code won't properly store certain characters. So you typed "ABCΩΣX", but it was modified somewhere before saving to "ABC&&&", but when you try to use it, the code modifies it differently to "ABC***", so password doesn't even match properly. I have even had government servers crash when entering special characters.

i have had this problem of a fashion when i try to use the same site on my computer and phone.

Agreed, use this as bases for master password of password manager, then use that to generate 40+ character random passwords for each site is my method. Then I'm remembering one, not many options. That said, make the random words into a nonsense phrase, easier to remember and your connectors just became multiple words with and without spaces and capitalization.

Yeah, the xkcd cartoon tries to make it seem like remembering one word, "troubador" with some simple tweaks is someone how harder to do than four unrelated words and in the correct order.

I agree that I wouldn’t remember which words I used over what random characters I used and I use a password locker. But I can see the benefit is that it would easier to type in random words when your password locker isn’t able to auto-populate for you.

Yeah, in this way the “forgot password” is basically functioning as multifactor authentication.

The point is by using four or more random words your making it easier to remember a longer password, and thus more likely that a longer password would be used. You can remember :"correct horse battery staple" at 28 characters, but no one is going to remember a truly random password of that length.

Absolutely, I don't think he thought this through! 😂 His answer to you is just a fudge to try and cover that up isn't it! The maths used in the video clearly doesn't back up his "explanation" to your comment because I think (I lost interest halfway through!) he comes up with 2 completely different answers for a 12 character password depending on whether it comprises 12 random characters, or 4 words. As you point out, that's not possible.

@@askleonotenboom *you're (contraction of "YOU aRE") your = possessive

​@@pjay3028He explained quite clearly in the video that the advantage of the passphrase is its length. Adding some random capitalization and special characters increases the possible combinations of a passphrase quite a bit.

@@drooplug try and think it through logically.....!

Do you have a favourite book you've never mentioned online? Or an obscure book found in a 2nd hand bookshop, perhaps? Can you memorise a particular page number? On that page, can you memorise a number for which paragraph to pick? Does that paragraph contain a name which the author clearly made up? All of those things give you a chance of a passphrase that nobody is going to break, no matter how they prioritise particular words. If you can remember paragraph 4, page 73 of fly fishing by JR Hartly, then you can use the entire sentence, increasing the security of your passphrase. Fellow Brits of at least a certain age know that book to be from an advert many moons ago. If someone ever published that title, it would be useless if a crackers dictionary were to be built using comments on passphrase videos, but it was an advert. Even a phrase from whatever holy book you may have been brought up with is better than nothing, because a cracker would have to try every verse of every chapter of every book, and that is making the assumption that you begin your passphrase at the first word of the verse. As noted in the video, increasing the length of your phrase increases you security. Being a favourite line from a book is obscure, being a random line is even more obscure.

​@@mattsadventureswithart5764but what about the wet quantum monkey potatoes and actuarial data? It's probably too late now man. We blew the lid off of this whole freaking operation :( I need a hat like magneto has

​@@mattsadventureswithart5764bottom line is don't wash your potatoes without this magneto hat or the monkeys on the other island are gonna wash their potatoes and the insurance companies and credit agencies are gonna guess your password

@@mattsadventureswithart5764 I remember a story of a password that was cracked and it was a line from a poem written in a language that only a few hundred people spoke. You may be better off making up your own lines than using one that anyone else knows.

If the number of preconditions approach the password size, as was your example, there is a slight decrease in the possibilities, but not quite as you calculated. (You’re presupposing a character order in your calculation that a brute force method will be unable to adopt to be consistently successful.) As the minimum password size exceeds the number of preconditions, the efficacy of a brute force method decreases exponentially, because it (largely) cannot assume that any position is of a certain character classification. Hope that helps.

I don't think this is true since in a brute force attack, hackers still need to search through all 72 possibilities at each of the four positions in the password because they do not know in which position you placed the capital letter, lower case letter, number, or special character, and they will not know until they have completed the entire password correctly. Thus, the possibilities are still 72x72x72x72, i.e., the same as without the restrictions. Even if they had some feedback as to whether or not they found the correct character at each position after going through all the possibilities for that position, your math does not work. (This is somewhat of a moot point since passwords only work after the entire completed password is entered with no feedback as to the correctness of the symbol at each position as it is entered, but I include this hypothetical scenario to show that the 26x26x10x10 calculation is also wrong for this scenario.) For the first position tested, they would always have to test for all 72 possibilities since they do not yet know what type of entry is in any of the positions. If they found the first tested position to have a capital or lower case letter, then they would need to test the remaining 46 possibilities, for the next position. If, however, they found a number or a special character for that first tested position, then they would need to test the remaining 62 possibilities for the second tested position. Here are the distinct possibilities for this scenario (note that the possibilities where the Caps and lower case (lc) positions are interchanged, or the number (num) and special character (sc) positions are interchanged, are not distinct since there are the same number of Caps and lc letters, and there are the same number of numbers and special characters): Cap lc num sc: 72 x 46 x 20 x 10 num Cap sc lc: 72 x 62 x 36 x 26 num Cap lc sc: 72 X 62 x 36 x 10 num sc Cap lc: 72 x 46 x 36 x 10 Notice that none of these scenarios yield the result 26x26x10x10. The only scenario that would yield that result is knowing ahead of time which position contained which type of character so that only the possibilities for that type of character would have to be tested at each position.

@@luminiferous1960 Thank you for spelling that out. (I was going to leave that as an exercise for the original poster!) To take your analysis further, it should be obvious that as the minimum password size increases, the number of 72 multiples increases in kind. This is the core of the logic behind requiring a password with a capital, a number, and a special character. Without it the brute force method can cheat and work below a 72 threshold.

@@AnimationByDylan Yes, the extension as the password size increases is obvious, especially since this was shown with many examples in the video. I'm glad that ericapelz260 chose only a 4 character long password to illustrate her erroneous point so that I did not have to go through more distinct possibilities to illustrate the error in ericapelz260's math. What saddens me is that ericapelz260's comment with the wrong math got so many likes without anyone else questioning the math. I think it is a case of confirmation bias since most people dislike having to meet any imposed restrictions on their passwords since it may make them slightly harder to remember and/or to type, so they would prefer to believe that the restrictions are not necessary and are even counterproductive.

26 x 26 x 10 x 10 can work. If you then multiply by the possible combinations. So the answer is 26 × 26 x 10 x 10 x 4! X 72 ^ (x - 4). X being the length of the password

The capitalization thing was not part of the original cartoon. It really explains it much better than was done here.

That's a sign of incompetence. The only thing worse is when they have a secret limit and don't bother to tell you about it. I've been hit with that a few times where I set the password, save the password and it won't work because it's doing something weird witht he truncation.

But the four words will be easier to remember than something from a random-password generator.

@@stevesmith291 No question.

@@stevesmith291 What's so hard to remember about p̶͇͉̯̰͊͒̂͆̚a̸͇͔̙̙͙̎͐̍͆̏̌͗ͅş̵̪̜͔̹̰̐̐s̷̯̲̪̪͈̐̊͊̽w̴͓̪̬͎̾͐̒́͗̾͗o̵̱̗̖̺͐̓̅̈́̕r̵̮̰̼͎͉͖͛͑̓̐͗̉d̶̘̲̣̿͛̀̎̎1̵̛͕͊̋2̵̡̛̙̝̦̹̚3̴̢̛͗͂̓̈́̕ ?

Try generating passwords with a phrase mnemonic - taking the first (or last) letter of each word in the phrase and also add in a special character and number(s) based on the phrase itself. I Cant Believe Its Christmas/Then 1 More Week Until New Year becomes a password of ICBIC/T1MWUNY That gives the strength of strings of random characters but maintains the easy to recall aspects of using words. Plus there are far fewer issues with running out of characters on a given site due to their password conditions.

word passphrases naturally generate long passwords anyway though for the average person it is basically impossible to memorize a 20 character password... but even if you are only using short words - memorizing a 6 word phrase of random words is pretty easy... and if you go by 4-5 characters per word on average and add some variant of spacing character in between each... thats easily 30-40 characters long, so way past anything a character based brute force attack has a chance to hit so the only thing that needs to be accomplished from there is being secure enough that someone who knows your method/wordlist still faces too much complexity to realistically brute force it in the end it doesnt matter if an attacker has to run calculations for 300 years or 30000 years... neither of them are viable attacks

You could also forget the special characters and just add one more character for the same complexity. If you're truly picking from a large word list you could get four words like: Susquehanna abstractedly hitherward unwonted There's no way it's easier to remember than "ICL1 yek TM2" unless you're throwing out any words you just don't like, and then it's not really from a list that large.

Your 16 random characters is 16 concepts, which must be memorized in a sequence. This exceeds the normal human memorization limits of 10 concepts in a sequence. And those concepts aren’t easy to memorize. 4 random words is at most 4 concepts, and those concepts are objects rather than arbitrary characters. By using the human ability to construct patterns, you can often reduce the 4 concepts to a single compound concept. The point of the cartoon is that random characters are low in entropy and hard to remember. It gave a typical human attempt to create a secure password that can be remembered, and compared it to an equivalent security random word sequence. It pointed out that the short password that met “security” guidelines was extremely hard for a human to remember but relatively easy for a computer to break. Whereas the 4 random words that did not meet guidelines was trivially easy to memorize, but actually harder for a computer to break. Yes it is possible to create high entry short sequences that are even harder to remember, but just increasing the word table size and number of words will match the entropy while still staying relatively easy to memorize. At 6 words from slightly larger word tables, your 16 characters is matched, and 6 words are more memorizable than a phone number, while your 16 characters isn’t memorizable.

Diceware is the best, but a program to generate it is the worst, as you open yourself up to a new set of attacks and bugs. It is much simpler to ensure you have a fair and unmonitored set of dice than it is to ensure you've got a fair diceware generator.

Actually only one die is REQUIRED although six will be easier/faster. Simply roll the single die six times. Search "diceware reinhold" (URL may not be allowed to be posted) for a detailed explanation of using a passphrase and associated information, e.g. a good Diceware list containing 7,776 short words, abbreviations and easy-to-remember character strings (the average length of each word is ~4.2 characters). That list is also available in an alternate list that Alan Beale compiled to replace most Americanisms and a lot of obscure words with more recognizable alternatives. The main list is available in other languages.

Well, you don't use a word list that's been compiled for some automated process. You use your own vocabulary, and include stuff that's not part of the average vocabulary. Most people will have hobbies or work that has its own words for things. Sometimes they're just different words for something that's commonly called by a different name, but that's enough to drastically decrease the chances that it's in some cracker's word list. Acronyms count as words, too, which can be further modified by un-abbreviating parts of them. And if you choose a word that's easy to misspell, even better; mispelled (misspelled, mis-spelled, misspelt, mispelt, etc) words are also distinct from their "correct" spelling and might even be outside of all recorded word lists. Using your own brain to pull words from disparate sources that you're familiar with will give you a mental word list to work with that's unlikely to be entirely contained in someone else's automated list even though it may be quite short due to your limitations as a mere human. You are a unique individual with a unique set of knowledge, experiences, memories, and thought processes that nobody can duplicate. Leverage your individuality instead of relying on real-world tools. Hackers can't access something that only exists in your mind. To keep things easy to remember, come up with rules for how you use things and follow those rules in every passphrase. Some examples: Rely on acronyms and proper names to provide your capitalization. Always use the same special character and in the same place (like always putting an interrobang after the third letter of the second word). Use the year for your numbers, but backwards and with the two inside numbers on the outside, and use them to separate your words. If you never tell anyone your rules, don't use a rule that's easy to guess (like always capitalizing the first letter or always ending with a number), and never write down your passphrases or rules, then nobody will ever know that you use any particular rule(s) to be able to narrow their range of attack. If you're worried about someone deriving your rules from cross-referencing passwords between decrypted leaks from multiple sites, then simply change your rules every few years or on occasions when you become aware that your password may have been leaked/compromised. Remembering a new ruleset is no more difficult than remembering a new passphrase, and is a lot easier than remembering how you spiced each phrase individually.

Maybe I'm misunderstanding but can't you just open a physical dictionary at a random point?

You could do that, you'll need a random page and a random word on that page, but how random will it actually be? Humans are terrible at being random. We'll open the dictionary more in the middle, or it will fall open at natural places, we'll skip over long words, hard to spell words etc, all of which greatly reduces the entropy. Suppose you solve the randomness and do take a large single volume dictionary like NOAD with 350,000 words. A single word from that represents log2(350,000) = 18.4 bits of entropy. An easy to spell and remember 2048 word dictionary is log2(2048) = exactly 11 bits of entropy. So just two words from the simple set has more entropy, more combinations than a single NOAD word (which is also very easy to see as 2048*2048 = 4M > 350K). Another way of looking at is roughly 5 NOAD words has barely more entropy that just 8 simple words (10^27 vs 10^26, or 92 vs 88 bits). If you only have pocket dictionary, things are even worse with maybe 35,000 words, 15 bits per word and you need 6 words to compare to 8 simple words. So personally I would rather pick more words from the low word count common dictionaries I mentioned than try to achieve this physical method reliably and end up having to remember how to spell a word like "esquivalience"! @@marcwilliams9824

Were any of your accounts ever hacked so that you decided to go to a more secure password?

Yes, my Rockstar games account was continuously hacked by someone in Russia several years ago. It hasn't happened a single time since I started using random nonsequential and nonrepeating 32 character passwords. I've noticed attempts on my accounts when I see texts or emails with a login security passcode, those desperate bastards.@@brownro214

8 alphanumeric characters takes closer to 2 minutes to crack.

Don't pick words yourself. Let your password manager do it or flip open your dictionary (you have one), close your eyes and put your finger on the page. Do that four times. Done.

@@brownro214 your dictionary method is not terribly random (humans are terrible at doing things randomly), and if you are using a password manager, go with the 20 character random string it suggests instead.

underlines are just non-alpha characters.

I approve. :-)

Yes. Missed the point of the comic completely.

In that case, "Correct Horse Battery Staple" has 28 characters, and even if the hacker correctly assumed the capitalisation, that would give 27^28 = 10^40 possibilities. Brute force on that would take longer than the life of the universe. The hacker is much better off using a 4,000-word dictionary attack with around 10^13 possibilities to test.

You missed the point that if you treat a passphrase as 25 individual characters (Correct Horse Battery Staple), it's basically uncrackable.

So, would, "Fur die tod reiten schnell" be a good passphrase by your methods?

@@horusfalcon Not if the hackers are German.

Pass phrases done correctly ARE random word sequences. :-)

@@askleonotenboom Yes, but I've never really bought into the notion that this really is any better. And it's going to vary widely from language to language. correctHorseBatteryStaple is 50.98 bits worth of entropy EUf8wfxChNLSDUDjHH5gsyVyD is 138.33 bits of entropy. This is one of the things where Randall screwed things up. It's weaker security and it only really makes any sense if you're trying to remember the password. Which doesn't really make much sense as over the years, I've accumulated hundreds of passwords and in many cases there are mandatory password changes as well.

@@SmallSpoonBrigade You have to remember at least one password. Use a passphrase (spiced in some memorable way) to create a long password that you can remember for your password manager. Then use that manager to store the longest allowed random-character passwords for each of the other sites/systems that you have passwords for. This provides the best of both worlds. The password for the most private (least likely to be targeted/compromised) system accommodates your humanity while the passwords for the more exposed systems provide the greatest challenge possible for analysis / computing hardware.

You use a password generator to create those long random character strings, right? So why do you assume a person wouldn't use a random _word_ generator to do the same thing? And random capitalization, to use an example, can be based on a system that you devise which is also easy to remember. Say, for a five word passphrase, you capitalize the fifth letter of the first word, fourth of the second, third of the third, second of the fourth, and first of the fifth. That would be easy enough for a hacker to determine if they knew your system, but they have to figure out your system first.

They are not supposed to produce the words. They are supposed to be randomly generated. They are also not supposed to randomly capitalize words. Also, the comparison is not supposed to be against randomly generated string passwords. I highly recommend reading the original comic.

Right but because they use words they are massively massively less secure than the equivalent amount of random characters. So you can kind of look at each word as a character of a much larger alphabet, and we only use 3-5 of these characters. And capital letter replacements or numbers etc can make it way way more complex.

@@mynameisben123 Which is why my last sentence is what matters :P If passphrases were the only option, then it'd transfer too much from security to convenience. There are of course far more options that just one dictionary's content, though...

That might help to memorize the password but it is not harder to break than a randomly generated password of the same length.

@@brownro214 Neither are passphrases. Random characters of x length are by definition the hardest to crack.

Hackers will either try a brute force attack or a dictionary attack. Typically for a dictionary attack, a passphrase might be tested against four words drawn from a 2,000-word dictionary of common words. That gives 2000^4 = 1.6 x 10^13 combinations, or about (2^11)^4 = 2^44 - what XKCD calls "44 bits of entropy". That is approximately equal in difficulty to seven random characters from a 72-character set if the hacker is trying brute force. Nowadays you want at least six words, giving 66 bits of entropy, equivalent to eleven random characters. More would be better. Using very unusual words would help. If the hacker has to use a 4,000-word dictionary, each word then has 12 bits (4096) of entropy. And so on, but you do get diminishing returns. Note that an eight-character random password taken from the 62 alphanumerics is over 20 times stronger than a seven-character random password taken from the 72 characters making up the alphanumerics plus special characters. Length is far more important than having a larger pool of characters or requiring a bigger dictionary. Replacing letters with symbols is worthless, as it doesn't greatly increase the number of tries the hacker needs, but makes it near impossible for most folk to remember.

The answer is that it's weaker security and really only acceptable if you absolutely need to be able to remember it without a password manager. It's less than half the entropy of a random password involving just the alphabet and numbers. The problem is in the notion that there are more words than characters as that assumes that you know the extra words and somehow that words are more secure than other strings of characters. Which is largely false, you probably don't know more than a 10-20k words. And it only takes 4 random characters to exceed the number of possible English words. At just 3 you've already exceeded the vocabulary of any college educated writer by an order of magnitude. (That's assuming 26 lower case letters, 26 upper case letters and 10 digits, it gets out of hand even more quickly if you allow a few punctuation characters as well)

Reread the comic. You seem to have forgotten the points it made.

@@SmallSpoonBrigade The comic does not assert that it's more secure than a random string of characters but that it's easier and more secure than the passwords people try to remember.

It's a waste of energy to be comparing two methods of known to be weak two factor authentication for security. It's like asking," is it better to put the key to my safe deposit box in my wallet in my pants pocket or attach it to many other keys that fit into that lock and keep that bunch in my pants pocket?" That ignores that to get the box you have to pass a guard who asks your name. If the guard accepts your email address as your name, you have as much time as you need to try all those keys in private.

He was estimating that the average word had 5 letters.