From my experience brute forcing passwords, no. It’s smart enough to try character substitutions and it annoys me so much that the FBI recommends this practice.
Wait it’s not? I remember some people in the industry recommend this sort of password albeit with variation of other random words as it’s pretty strong and would take a very long time to crack.
It’s not. A dictionary has on the order of ≈100,000 (10^5) words in it. Picking five words entirely at random gives you 10^25 combinations, which is about the complexity of 14 alphanumeric characters. So pretty secure.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.
From my experience brute forcing passwords, no. It’s smart enough to try character substitutions and it annoys me so much that the FBI recommends this practice.
Wait it’s not? I remember some people in the industry recommend this sort of password albeit with variation of other random words as it’s pretty strong and would take a very long time to crack.
Indeed, just four impersonal words is a great password. Mix up the capitalization and it’s even better.
If it’s a bunch of words found in any dictionary then with or without character substitution it’ll be easy to crack.
It’s not. A dictionary has on the order of ≈100,000 (10^5) words in it. Picking five words entirely at random gives you 10^25 combinations, which is about the complexity of 14 alphanumeric characters. So pretty secure.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.