XKCD #936: Short complex password, or long dictionary passphrase?
How accurate is this XKCD comic from August 10, 2011?
I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against me on that one. However, XKCD's analysis seems spot on to me.
Am I missing something or is this armchair analysis sound?
A practical note: I have used Diceware to help me select random words before. I found I could remember 5 words really easily. I did roll a couple of times to find a sequence that felt nice to say (in my head) though, without necessarily making sense.
New most common passwords: `onetwothreefour` `passwordpasswordpasswordpassword` `teenagemutantninjaturtles`
I think commentors here have brought up all of these points already but, for the record, here's some elaboration by the comic's author, Randall Munroe: http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020
@LotusNotes Mine requires exactly FIVE! And every stupid forum requires a >8 chars, upper+lowercase+numbers+punctiation...
Comments are not for extended discussion; this conversation has been moved to chat.
In an empirical test, passphrases don't seem to help as much as XKCD would have you believe: dl.acm.org/citation.cfm?id=2335356.2335366
@wbt Interesting. It's a shame the passwords they were comparing with were only 5-6 characters though. Would be interesting to see a similar comparison with actual security.
I think the most important part of this comic, even if it were to get the math wrong (which it didn't), is visually emphasizing that there are two equally important aspects to selecting a strong password (or actually, a password policy, in general):
- Difficulty to guess
- Difficulty to remember
Or, in other words:
- The computer aspect
- The human aspect
All too often, when discussing complex passwords, strong policies, expiration, etc (and, to generalize - all security), we tend to focus overly much on the computer aspects, and skip over the human aspects.
Especially when it comes to passwords, (and double especially for
average users), the human aspect should often be the overriding concern.
For example, how often does strict password complexity policy enforced by IT (such as the one shown in the XKCD), result in the user writing down his password, and taping it to his screen? That is a direct result of focusing too much on the computer aspect, at the expense of the human aspect.
And I think that is the core message from the sage of XKCD - yes,
Easy to Guessis bad, but
Hard to Rememberis equally so.
And that principle is a correct one. We should remember this more often, AKA AviD's Rule of Usability:
Security at the expense of usability comes at the expense of security.
For an in-depth analysis of the maths behind the xkcd, see Thomas's answer below. His answer shows why the xkcd got the math right, a perfect complement to why it doesn't actually matter.
writing down a password is not that much of an issue. people robing you leave with cash, jewelry, light and fencable things (laptops, tablet...), but they don't care about a password on a post it on your desk. Especially since a/ they don't have the login and b/ they don't know what service it is related to.
@njzk2 It sounds a lot like a phrase that people who keep their passwords on a desk post-it would use to reassure themselves by fooling themselves into thinking they are safe. If my home gets robbed I would be much more concerned about the robbers having my banking password than about having lost my cash, jewelry etc; especially if I find out about the burglary only when I get home at the end of the day. The only remotely potentially tenable justification for keeping passwords on desk post-its is that they are passwords to something not important so it's no big deal if someone steals them.
@SantiBailors having a random sequence of words on a piece of paper somewhere is far from giving you access to anything. could be a hint, could be a password, could be obsolete, could be a transformation of the password, and even then you don't know to which account it belongs, nor what is the username.
@njzk2 Yes, it could be many things, but the things that interest a thief are very few, so the thief will probably give f.ex. your internet banking some shots with that as the password. And other things they stole from your home are likely to give away what your bank is, from which it's easy to find out what kind of usernames that system uses, and if it doesn't use standard usernames (f.ex. mine uses my social security number) then the username is likely to be written on the same post-it. I'm just saying if I write down my passwords I wouldn't leave them on the desk.
@SantiBailors agreed, it is not a good practice. But I think it is better for someone who would have difficulties in remembering a good password than choosing something trivial, like the name of their dog.
I would generalize "difficulty to remember" to "difficulty to use", which contains both "difficulty to remember" and "difficulty to enter".
@Pacerier not... exactly, just that there are aspects of one in the other - and they should not be ignored, nor are they at odds with each other.
Great quote! Mind me using it in an internal company infosec page (with source url)?
@johanvdPluijm please do! I'd appreciate attribution, or call the rule by it's proper name :-)
@AviD: I also put it in my internship report about information security awareness: "Other key aspects were relevance and usability: “Security at the expense of usability comes at the expense of security” (AviD, 2011)." There you go. I did rectify the use of this source by the number of upvotes. Now you are part of a limited number of people I dare to quote in my internship report (+/- 30 atm)
Another thing that makes the battery staple method better (via AviD's observation on usability) is the increasing number of mobile devices. On a mobile keyboard, the 'leetspeak' method requires a lot of pecking and symbol table shifting to and fro, while the battery staple method can be typed in much more easily with less risk of error. Try timing yourself how quickly you can enter either sample password on an iPhone's screen keyboard.
One advantage for passwords that are complete gibberish: If somebody happens to glance at one on your screen, it's unmemorizable without quite a lot of work.
Here is a thorough explanation of the mathematics in this comic:
The little boxes in the comic represent entropy in a logarithmic scale, i.e. "bits". Each box means one extra bit of entropy. Entropy is a measure of the average cost of hitting the right password in a brute force attack. We assume that the attacker knows the exact password generation method, including probability distributions for random choices in the method. An entropy of n bits means that, on average, the attacker will try 2n-1 passwords before finding the right one. When the random choices are equiprobable, you have n bits of entropy when there are 2n possible passwords, which means that the attacker will, on average, try half of them. The definition with the average cost is more generic, in that it captures the cases where random choices taken during the password generation process (the one which usually occurs in the head of the human user) are not uniform. We'll see an example below.
The point of using "bits" is that they add up. If you have two password halves that you generate independently of each other, one with 10 bits of entropy and the other with 12 bits, then the total entropy is 22 bits. If we were to use a non-logarithmic scale, we would have to multiply: 210 uniform choices for the first half and 212 uniform choices for the other half make up for 210·212 = 222 uniform choices. Additions are easier to convey graphically with little boxes, hence our using bits.
That being said, let's see the two methods described in the comic. We'll begin with the second one, which is easier to analyze.
The "correct horse" method
The password generation process for this method is: take a given (public) list of 2048 words (supposedly common words, easy to remember). Choose four random words in this list, uniformly and independently of each other: select one word at random, then select again a word at random (which could be the same as the first word), and so on for a third and then a fourth words. Concatenate all four words together, and voila! you have your password.
Each random word selection is worth 11 bits, because 211 = 2048, and, crucially, each word is selected uniformly (all 2048 words have the same probability of 1/2048 of being selected) and independently of the other words (you don't choose a word so that it matches or non-matches the previous words, and, in particular, you do not reject a word if it happens to be the same choice as a previous word). Since humans are not good at all at doing random choices in their head, we have to assume that the random word selection is done with a physical device (dice, coin flips, computers...).
The total entropy is then 44 bits, matching the 44 boxes in the comic.
The "troubador" method
For this one, the rules are more complex:
- Select a random word in a given big list of meaningful words.
- Decide randomly whether to capitalize the first letter, or not.
- For the letters which are eligible to "traditional substitutions", apply or not apply the substitution (decide randomly for each letter). These traditional substitutions can be, for instance: "o" -> "0", "a" -> "4", "i" -> "!", "e" -> "3", "l" -> "1" (the rules give a publicly known exhaustive list).
- Append a punctuation sign and a digit.
The random word is rated to 16 bits by the comic, meaning uniform selection in a list of 65536 words (or non-uniform in a longer list). There are more words than that in English, apparently about 228000, but some of them are very long or very short, others are so uncommon that people would not remember them at all. "16 bits" seem to be a plausible count.
Uppercasing or not uppercasing the first letter is, nominally, 1 bit of entropy (two choices). If the user makes that choice in his head, then this will be a balance between user's feeling of safety ("uppercase is obviously more secure !") and user's laziness ("lowercase is easier to type"). There again, "1 bit" is plausible.
"Traditional substitutions" are more complex because the number of eligible letters depends on the base word; here, three letters, hence 3 bits of entropy. Other words could have other counts, but it seems plausible that, on average, we'll find about 3 eligible letters. This depends on the list of "traditional substitutions", which are assumed to be a given convention.
For the extra punctuation sign and digit, the comic gives 1 bit for the choice of which comes first (the digit or the punctuation sign), then 4 bits for the sign and 3 bits for the digit. The count for digits deserves an explanation: this is because humans, when asked to choose a random digit, are not at all uniform; the digit "1" will have about 5 to 10 times more chances of being selected than "0". Among psychological factors, "0" has a bad connotation (void, dark, death), while "1" is viewed positively (winner, champion, top). In south China, "8" is very popular because the word for "eight" is pronounced the same way as the word for "luck"; and, similarly, "4" is shunned because of homophony with the word for "death". The attacker will first try passwords where the digit is a "1", allowing him to benefit from the non-uniformity of the user choices.
If the choice of digit is not made by a human brain but by an impartial device, then we get 3.32 bits of entropy, not 3 bits. But that's close enough for illustration purposes (I quite understand that Randall Munroe did not want to draw partial boxes).
Four bits for punctuation are a bit understated; there are 32 punctuation signs in ASCII, all relatively easy to type on a common keyboard. This would mean 5 bits, not 4. There again, if the sign is chosen by a human, then some signs will be more common than others, because humans rarely think of '#' or '|' as "punctuation".
The grand total of 28 bits is then about right, although it depends on the precise details of some random selections, and the list of "traditional substitutions" (which impacts the average number of eligible letters). With a computer-generated password, we may hope for about 30 bits. That's still low with regards to the 44 bits of the "correct horse" method.
The paragraphs above show that the maths in the comic are correct (at least with the precision that can be expected in these conditions -- that's a webcomic, not a research article). It still requires the following conditions:
The "password generation method" is known by the attacker. This is the part which @Jeff does not believe. But it makes sense. In big organizations, security officers publish such guidelines for password generation. Even when they don't, people have Google and colleagues, and will tend to use one of about a dozen or so sets of rules. The comic includes provisions for that: "You can add a few more bits to account for the fact that this is only one of a few common formats".
Bottom-line: even if you keep your method "secret", it won't be that secret because you will more or less consciously follow a "classic" method, and there are not that many of those.
Random choices are random and uniform. This is hard to achieve with human users. You must convince them to use a device for good randomness (a coin, not a brain), and to accept the result. This is the gist of my original answer (reproduced below). If the users alter the choices, if only by generating another password if the one they got "does not please them", then they depart from random uniformity, and the entropy can only be lowered (maximum entropy is achieved with uniform randomness; you cannot get better, but you can get much worse).
The right answer is of course that of @AviD. The maths in the comic are correct, but the important point is that good passwords must be both hard to guess and easy to remember. The main message of the comic is to show that common "password generation rules" fail at both points: they make hard to remember passwords, which are nonetheless not that hard to guess.
It also illustrates the failure of human minds at evaluating security. "Tr0ub4dor&3" looks more randomish than "correcthorsebatterystaple"; and the same minds will give good points to the latter only because of the wrong reason, i.e. the widespread (but misguided) belief that password length makes strength. It does not. A password is not strong because it is long; it is strong because it includes a lot of randomness (all the entropy bits we have been discussing all along). Extra length just allows for more strength, by giving more room for randomness; in particular, by allowing "gentle" randomness that is easy to remember, like the electric horse thing. On the other hand, a very short password is necessarily weak, because there is only so much entropy you can fit in 5 characters.
Note that "hard to guess" and "easy to remember" do not cover all that is to say about password generation; there is also "easy to use", which usually means "easy to type". Long passwords are a problem on smartphones, but passwords with digits and punctuation signs and mixed casing are arguably even worse.
The comic assumes that the selection of a random "common" word yields an entropy of about 11 bits -- which means that there are about 2000 common words. This is a plausible count. The trick, of course, is to have a really random selection. For instance, the following activities:
- select four words randomly, then remember them in the order which makes most sense;
- if the four words look too hard to remember, scrap them and select four others;
- replace one of the words with the name of a footballer (the attacker will never guess that !);
... all reduce the entropy. It is not easy to get your users to actually use true randomness and accept the result.
The same users will probably complain about the hassle of typing a long password (if the typing involves a smartphone, I must say that I quite understand them). An unhappy user is never a good thing, because he will begin to look for countermeasures which will make his life easier, such as keeping the password in a file and "typing" it with a copy&paste. Users can often be surprisingly creative that way. Therefore long passwords have a tendency to backfire, security-wise.
Comments are not for extended discussion; this conversation has been moved to chat.
One crucial thing I believe this answer is missing is a mention of dictionary attacks. It may be obvious to anyone versed in this stuff that dictionary attacks are considered in the entropy calculation, but every single time I've heard someone criticise this xkcd strip, it's on the grounds that the author only considers brute force attacks and that a real attacker can use a more sophisticated dictionary attack. The thinking there is wrong, but I think dictionary attacks need a mention just to nay-say the naysayers and clear up the confusion here.
An error here : A string of 4 Randomly chosen words out of your dictionary...is also a string of characters chosen out of the 26 letter alphabet.... and its entropy has to be seen in that regard too. Hence the total number of letters in the string have to be such that that they do not reduce the entropy as seen from a 'Word' POV .
@Score_Under On the contrary, this answer assumes a dictionary attack, as does the comic.
@ARi Using the brute force method you mention, and assuming you use at least four 5-letter words, the second method would have at least 112.4 bits%5E26)) of entropy. (Using a dictionary attack reduces it to 44 bits, as shown.) Of course, this all assumes the attacker knows the length of the password, making it a little optimistic.
@ARi are you sure it's 'a string of characters chosen out of the alphabet' such that that would increase its entropy? isn't it specifically NOT that? I know what you mean: it's a string of characters, but it's not a string of *random* characters. The strength is not 26^25.
"there is only so much entropy you can fit in 5 characters." - Unicode defines >100k characters, giving a character a similar entropy to an English dictionary word (~17 bits). 5 characters of random Unicode has more entropy (~85 bits) than 6 words of Diceware (~78 bits). Harder to input on some devices, though.
@LukeSawczak Exactly! That's what Score_Under is saying... Please just use the phrase "dictionary attack" to be even more clear. It's really easy to mistakenly think the calculations are based on character-by-character brute forcing.
WRT the smartphone thing, I submit that the 'correct horse' type password is going to be easier to enter than the troubadour one because *you don't have to keep switching between lowercase, uppercase, letters, numbers and symbols every other letter*. And as a bonus, it also vastly reduces the chance of point errors, because they are words you know how to spell, so your muscle memory will correctly spot errors you make even when you can't see what you're typing.
The two passwords, based on rumkin.com's password strength checker:
- Length: 11
- Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
- Entropy: 51.8 bits
- Charset Size: 72 characters
correct horse battery staple
- Length: 28
- Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
- Entropy: 104.2 bits
- Charset Size: 27 characters
It is certainly true that length, all other things being equal, tends to make for very strong passwords -- and we're seeing that confirmed here.
Even if the individual characters are all limited to
[a-z], the exponent implied in "we added another lowercase character, so multiply by 26 again" tends to dominate the results.
In other words, 7211 < 2728.
Now, what is not clearly addressed:
Will these passwords have to be entered manually? And if so, how difficult is it, mechanically, to enter a each character of the password? On a keyboard it's easy, but on a smartphone or console... not so much.
How easy are these passwords to remember?
How sophisticated are the password attacks? In other words, will they actually attempt common schemes like "dictionary words separated by spaces", or "a complete sentence with punctuation", or "leet-speak numb3r substitution" as implied by xkcd? Crucially, this is how XKCD justifies cutting the entropy of the first password in half!
Point 3 is almost unanswerable and I think personally highly unlikely in practice. I expect it will be braindead brute force all the way to get the low-hanging fruit, and the rest ignored. If there isn't any low-hanging password fruit (and oh, there always is), they'll just move on to the next potential victim service.
Therefore I say the cartoon is materially accurate in terms of its math, but the godlike predictive password attacks it implies are largely a myth. Which means, IMHO, that these specific two passwords are kind of a wash in practice and would offer similar-ish levels of protection.
@Jeff, this answer is flawed. You rely upon rumpkin for password entropy estimation, but rumpkin's estimates are apparently bogus. Look at the xkcd comic again: it visually depicts the justification for its entropy estimate (that's what the little boxes are doing). xkcd's entropy estimates look about right to me, and your entropy estimates look wrong (overly optimistic). I totally disagree with your conclusion, and I don't see where you get it from.
I agree that length is often preferable to complexity. But I think the controversy is less around that, and more around how much entropy you want to have. The comic says that a "plausible attack" is 1000 guesses/second:
"Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about"
But I see more of a consensus that web site operators can't keep their hash databases secure over time against attackers, so we should engineer the passwords and hash algorithms to withstand stealing the hashes for offline attack. And an offline attack can be massive, as described at How to securely hash passwords?
This makes the problem even harder, and sites should really be looking at options besides requiring users to memorize their own passwords for each web site, e.g. via OpenID and OAuth. That way the user can get one good authentication method (perhaps even involving a hardware token) and leverage it for web access.
But good password hashing can also be done via good algorithms, a bit more length, and bookmarklet tools. Use the techniques described at the above question on the server (i.e. bcrypt, scrypt or PBKDF2), and the advice at Is there a method of generating site-specific passwords which can be executed in my own head? on the use of SuperGenPass (or SuperChromePass) on the user/client end.
interesting, so this means from the user's perspective, the choice of password is almost -- except for "Password1" type brain damage -- irrelevant!
Right, it depends on what the threat is. I may just start writing risk = threat x vulnerability x exposure on every question. And for Thomas those are multidimensional cross product operations, and I am assuming a right handed coordinate system in Euclidean space.
You don't need strong password for website. Just force `2^attempts` miliseconds delay between two consecutive login attempts, or block the password after 10 wrong trials. 10,000 different passwords are enough for a decent protection if we only need to protect a website.
@Elazar Leibovich: The attack described (offline) is run against your compromised database; it won't be restricted by your delays. Also, you do introduce a DDOS method.
@MSalter, if you fear that your database will be compromised once in a while, force users to change their password every month. If they use a very short password they won't mind so much. bcrypt can also help to protect even low entropy passwords. BTW, if your DB leaks too frequent, reversing the hashes is the least of your users worries...
@Elazar I've had access to all kinds of databases in my various jobs. In most of them, nobody would notice if I dumped a copy to a file and walked out with it, reversed those short, irrelevant passwords that users have handily re-used on other sites, then went from there. Database compromise by an external actor isn't the only reason for hashing passwords properly, or for users choosing strong passwords.
@Ninefingers, but if no nobody would notice you dumping the users table, nobody would notice that you changed the user hash for a few hours, or dump his personal information. So as long as the mole is working there - your data is compromised. When you'll stop working there - the user will change his password. And as mentioned, reversing a good hash scheme is non-trivial. Regardless of weak passwords.
@elazar You're ignoring the inconvenience to the user from frequent password chagnes and the damage done during the 1/2 month that the attacker has access to the user's account, to say nothing of the longer time that the attacker has access to other accounts where the user reused the password. Avoiding passwords or reducing the number of unique ones a user has to deal with can help in many ways, including allowing them to concentrate on one or a few really good ones.
`` @nealmcb @elazar it isn't just a convenience thing. If you allow weak passwords or strong ones, people use passwords in patterns, like `youtotallywouldnotguessthis01` then `youtotallywouldnotguessthis02`. Also, if additional services don't make the same restriction, they're then affected. Good hashing is therefore critical - plan is if the database is already compromised. Although you're right that if you're actually experiencing frequent compromise you've probably got bigger issues.
@elazar - as per nealmcb's point. Have a look at http://security.stackexchange.com/q/4704/665 which discusses the pros and cons of short/long password expiry times.
I think most of the answers here are missing the point. The final frame is talking about ease of memorization. correct horse battery staple (typed from memory!!) eliminates the fundamental danger of password security -- The Post-IT note.
Using the first password, I've got a Post-IT note in my wallet (if I'm smart) or in my desk drawer (if I'm dumb) which is a huge security risk.
Lets assume that the pass phrase option is only as secure as the munged base word option, then I'm already better off because I've eliminated the human failing in password storage.
Even if I wrote down the pass phrase, it wouldn't look like a password. It might be a shopping list - Bread Milk Eggs Syrup. But 5t4ck3xCh4ng3 is very obviously a password. If I came across that, It would be the first thing I would try.
I have trouble with the odd order of the words. The funny thing is, I think the FINAL frame image, with "Horse: That's a battery staple. Me: Correct!" is even simpler and easier to remember since it's how the actual sentence would work. And much stronger..
Maybe we should just introduce graphical passwords, where you have to draw the horse and battery staple in the final frame image. ;-)
Absolutely, as I said in my answer too - password security is not *just* about entropy, it's about the human aspect, and how the user remembers it (or doesn't). Entropy is absolutely important, but that's not the end of the story.
Having a post-it with a very complex password sure beats having a bad password memorized. Usually you're protecting yourself from remote attacks, not someone sneaking around on your desk (that is an issue for office security). Also, with post-its you can easily disguise the password or alter it slightly ("every 1 is a 2", or the password is only half of what is written etc.) to make it useless for anyone else. You're oversimplifying. (Also, just realized how old this is, sorry, but I still think it applies)
6 years later from memory- "Correct Horse Battery Staple". (Scroll up and check - YES!)
@pzkpfw You're assuming that a remote attacker is more likely. However, what are the chances that a remote attacker is more interested in your password than (say) a resentful co-worker?
@jpaugh the point is that when it comes to security, it's a well known axiom that "physical access = game over". Protecting yourself against your colleagues entails a completely different set of procedures (physical security, safes, locks etc.) -- for the sake of simplicity discussions about passwords should focus on remote attackers because that's normally what passwords are designed to protect against. That's not saying remote attacks are the only attacks that exist, just that it's a very broad discussion.
To add to Avid's excellent answer, the other key messages of the comic are:
- the appropriate way to calculate the entropy of a password generation algorithm is to calculate the entropy of its inputs, not to calculate the apparent entropy of its outputs (as rumkin.com, grc.com etc. do)
- minor algorithm variations such as "1337-5p34k" substitutions and "pre/append punct & digits" add less entropy than most users (or sysadmins) think
- (more subtly) passphrase entropy depends on wordlist size (and number of words), not number of characters, but can still provide easily sufficient entropy to protect against "generation algorithm aware" brute force attacks
To those messages we might wish to add:
- as a user you can't generally control whether the web site operator uses salting, bcrypt/scrypt/PBKDF2, keeps their password hashes safe, or even whether they hash passwords in the first place -- so you should probably choose passwords that matter on the basis that they don't (e.g. assume 10^9 guesses per second when sizing passwords/phrases, don't reuse passwords and don't use simple "append the site name" techniques) - which probably makes using LastPass/KeePass/hashpass inevitable
- long complicated words don't add much to the entropy unless you use more than a couple of them (there are only ~500K words in English, which is only 19 bits -- just 8 bits more than a word from Randall's 2048-word list)
- the "random words" need to be really random for this to work -- picking song lyrics/movie quotes/bible verses gives much lower entropy (e.g. even with perfectly random choice, there are only 700K words in the bible, so there are only ~4M 5-10 word bible phrases, which is only 22 bits of entropy)
Have you considered that from the Bible, there are potentially dozens of different translations? King James, NIV, New American Standard, Strong's Concordance, the list goes on. And that's just English. Suppose some American knew a number of verses in Klingon (with appropriate accents, if appropriate). The flip side of this coin is also an interesting concept. Password cracking libraries may become the repositories (out of order) of all knowledge, because college term papers, news broadcasts, and everything else will get included.
I love xkcd and agree with his basic point -- passphrases are great for adding entropy, but think he low balled the entropy on the first password.
Let's go through it:
- Random dictionary word. xkcd: 16 bits, Me: 16 bits. A random word from a dictionary with ~65000 words is lg(65000) ~ 16. Very reasonable
- Adding in capitalization. xkcd: 1 bit, Me: 0 bits (deal with in common subsitutions). 1 bits means its there or not there -- which seems very low for the complexity added by adding capitalization to a password -- generally when capitalization to a password its in a random place or I can think of other many possible capitalization schemes (capitalize everything, capitalize the last letter). I'm going to group this with common substitutions.
Common substitutions. xkcd: 3 bits, Me: 13 bits. Only 8 choices for leet speak substitutions, even when only sometimes used? I can think of on average ~2 ways to leet alter each letter (like a to
4; b to
6; c to
<) and add in the original or capitalizing the letter, then for a 9 letter password, I've increased the entropy by 18 (lg(4**9)=18), if I randomly choose each letter to leet alter or not. This is too high for this password, however. A more reasonable approach would be say I randomly chose say 4 letters to "common substitutions" to (one of two leet options, plus capitalization for three options for each letter being substituted). Then it gets to lg( nCr(9,4) 3*4) ~ 13 bits.
Adding two random characters '&3' to the end. xkcd: 8 bits, Me: 15 bits. I'm considering it as two characters to one of ~4 places (say before the word, one before and one after, both after, or both smack in the middle of the word). I'll also let non-special characters be in these two added letters. So assuming an 88 character dictionary (56 characters+10 digits, plus 32 symbols) you add lg(4 * 80**2) ~ 15 bits of entropy.
So I have the calculation as not being 16+2+2+8=28 bits of entropy, but being 16+13+15=44 bits very similar to his passphrase.
I also don't think 3 days at 1000 guesses/sec is by any means "easy" to guess or the plausible attack mechanism. A remote web service should detect and slow down a user trying more than 10000 guesses in a day period for any specific user.
Much more likely are other attacks (e.g., key loggers on public computers, a malicious admin at a service logging passwords and reusing them, eavesdropping if ssl not used, get access to the server somehow (e.g., SQL injection; break into server room; etc)).
I use a passphrase when its necessary -- e.g., strong encryption (and not 44-bits more like 80-bits -- typically 8 word diceware passphrase plus two or three modifications -- e.g., misspell a word or substitute a word for a non diceware word starting with the same two letters; E.g., if you had "yogurt" come up maybe substitute it for "yomama"). For websites (no money involved or security permissions), I don't care about trivial passwords are typically used.
I do notice that for often used passwords, I'm much much better at typing passwords then I am at typing my passphrases (which get annoying when you have to re-key in a ~50 character sentence a few times). Also for passwords, I often prefer finding a random sentence (like a random song lyric -- to a song no one would associate with you that's not particularly meaningful) and come up with a password based on the words (like sometimes use first letter; last letter; or substitute a word for a symbol; etc). E.g. L^#g&B9y3r from "Load up on guns and bring your" from Smells Like Teen Spirit.
TL;DR: Randall is right, if you (a) assume you can check passwords at 1000/s for three days without getting slowed down, and (b) can make many assumptions about the password: constructed based on a rare dictionary word, that is capitalized, has some leet substitutions for some commonly substituted letters, and has a symbol and number added at the end. If you only slightly generalize the allowed substitutions (like I did) and characters added at the end, you get a similar entropy to the passphrase.
In summary, both are probably secure for most purposes with a low threat level. You are much more vulnerable by other exploits, something Randall would likely agree with  . In general having password requirements like having a upper/lower/symbol/number is good, as long as long high-entropy passphrases are also allowed. Force additional complexity for shorter passwords, but allow over ~20 characters to be all lower case. Some users will choose poor passphrases just as they choose poor passwords (like "this is fun" which is idiotically claimed to be ridiculously secure here or using their child's name or their favorite sports team). Requiring special characters may make it non-trivial to easily guess (say by a factor of 100-1000 -- changing a password from being 10 likely guesses to 10000 is very significant). Sure it won't prevent any bot on a weak web service that allows thousands of bad login attempts per second, but it forces an addition of a modest level of security which would hinder efforts at sites that limit bad logins or from the unsophisticated manually guessing the password. Sort of like how a standard 5-pin house lock is fundamentally insecure as anyone can learn to pick it in minutes (or break the glass window); however in practice locking your door is good as it provides some safety against the unsophisticated who don't have tools handy (and breaking windows comes with its own dangers of alerting others).
"A remote web service should detect and slow down a user trying more than 10000 guesses in a day period for any specific user." <-- Note that the strip says "insecure web service". Of course a secure webservice does slow things down. Not all webservices are secure though.
the comic is saying that all these thing which could increase entropy are done stupidly by users (only capitalise first letter; use a word and only add random number and symbol to the end; etc).
@DanBeale: If you don't trust the users to make a password in a suitably random way, how do you trust them to make a passphrase in a suitably random way? "this is fun" or "let me in" or "fluffy is puffy".
@Billy ONeal: I read the insecure web service part, but think its irrelevant. Most services worth hacking into (banks, major email accts, major seller (amazon), etc.) should be doing basic login throttling. http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication/477578#477578 Insecure web services won't; but then again you probably shouldn't be giving any information to insecure web services anyhow -- they may be storing your password in plaintext on computer with known well-known exploits that would take someone much less than 3 days to crack.
@Billy ONeal: Unless you have done something to make you a specific target, no one's going to spend 300 million attempts over the internet to get your passphrase for your login. After a few minutes of attempts they'll move on to the next username trying to get low-hanging fruit. (Unless of course this is offline hacking; in which case 28-bit and 44-bit are both insecure to any real attempts.)
@dr jimbob: I don't. We see on this very page a user saying they generate a diceware passphrase, but that they roll a few times to get an easier to remember passphrase. So, i: generate the phrases and print them on $50 bills ii: research using real people seeing how many times they roll to get a diceware pass they'll use, and how small the "real" dictionary is would be a good thing.
@DanBeale I think the point is that (some) users will always do the minimum required of them, and that services which force users to use a "strong" password with at least one number, one capital letter, one punctuation mark, etc are actually counterproductive (though they look really good to management!)
Looking at the XKCD comic, and at examples of real world passwords, we see that most users have passwords much much weaker than the XKCD example.
A bunch of users will do exactly as the first panel says - they'll take a dictionary word, capitalize the first letter, do some gentle substituting, then add a number and symbol to the end. That's quite bad, especially if they re-use that password (because they think it's strong) or if their account has privs.
As has been mentioned in comments, Diceware is a nice way to generate a passphrase. I'd like to see the easy read version of a formal analysis of Diceware. (I suspect that even if the attacker has your dictionary and knows that your passphrase is 5 or 6 words long that Diceware is better than a bunch of other password generation systems.
But, whatever password they have, many users can be persuaded to change it to a known value:
During a computer security assessment, auditors were able to convince 35 IRS managers and employees to provide them with their username and change their password to a known value. Auditors posed as IRS information technology personnel attempting to correct a network problem.
good old social engineering... the forever hack. http://www.codinghorror.com/blog/2007/05/phishing-the-forever-hack.html
Entropy basically measures the number of possible passwords allowed by the scheme you used to generate your password. You do this by taking the base-2 logarithm of the number of passwords allowed by your scheme. If your scheme allows ~2^10=1024 passwords it has 10-bits of entropy; every extra bit doubles the number of passwords allowed and doubles the time to brute-force guess. Ok, so if your diceware passphrase is generated by rolling 5 six-sided dice (the dictionary has 6^5=7776 words), then each word adds 13 bits of entropy (log(6^5)/log(2)=12.9). Hence 4 words would be 52-bits.
Not sure why you want a "formal" analysis of Diceware. The concept is simple and it works. There's no fancy math needed. Its dictionary has almost 8000 (= 2^13) words, so a random four-word passphrase has about 52 bits of entropy (i.e., there are about 2^52 possible such passphrases, all equally likely; i.e., an attacker would need to try about 2^52 guesses to find your passphrase).
@D.W. Diceware is good, but users are poor. There's a comment on this page from someone who says that they roll more than once to get a memorable passphrase. So, if the phrases given to the users it's okay, but what happens if users are allowed to use diceware themselves? How many re-roll? Which diceware dictioary words are least / most popular?
A useful analysis would be to see how many of those 2^52 passphrases always get ditched by users as not easy to remember. That may significantly reduce the space.
@DanBeale, re-rolling a couple of times doesn't significantly harm the entropy. (If you re-roll up to 4 times, the decrease in entropy is at most 2 bits, from 52 bits to 50 bits. Not a big deal.) On the whole, the practice of re-rolling to find a memorable passphrase is probably positive, because it makes passphrases more memorable and hence increases the likelihood that users will use / keep using the Diceware scheme. As you say, the greatest challenge is usability; for that, what's needed is a usability study, not a formal mathematical analysis.
@D.W. - thanks for the info. It's reassuring to know that a re-roll or two is okay.
The issue is still, sadly, a human one.
Will pushing users to alphanumeric + punctuation passwords be safer, or longer passwords?
If you tell them to user alpha + numbers, they will write their name + birthday. If you tell them to use also use punctuation, they will replace an "a" with "@", or something similarly predictable.
If you tell them "use four simple words", they will write "i love my mother", "i love your mother", "thank god its friday" or something else banally predictable.
You just can't win. The advantage of 4 word passwords is, they can memorize it, so if you are going to force users to have strong passwords (which you generate) then at least they won't need to write it down on a post-it note, or email themselves the password, or something else stupid.
But what you've missed is that the xkcd comic was probably advocating that a random four-word password be generated for the user by randomly sampling from a 2048-word dictionary, *not* asking the user to pick four arbitrary words. This may not have been obvious if you aren't familiar with the history of the field, but the basic idea has been mooted before by cryptographers.
Randall is mostly correct here. A few additions:
Of course you have to choose the words randomly. The classic method is Diceware, which involves rolling 5d6, giving almost 13 bits of entropy per word, but the words are more obscure.
There may be 2048 common words in English, but there aren't 2048 short common words in English. The Diceware list (which has 6^5 = 7776 words under 6 letters long) has some pretty obscure stuff in it, plus names, plurals, two-letter combinations, two-digit combinations, 19xx, etc, and I don't think the top quarter of that would be much better. If you just take the top 2k word in English, you get stuff like "multiplication" which is a bit long as part of a 4-word password. So I'd be interested to see Randall's suggested word list.
There are more obvious variations of "Tr0ub4dor&3"-type passwords than of Diceware ones, so in practice the former will have a couple more bits of entropy. Also, in my experience, "Tr0ub4dor&3" type passwords are not actually that hard to remember if you use them often. In the past, I've generated several passwords with
strings /dev/urandom, and had no trouble using them as login passwords. Today, though, I couldn't tell you which of the letters were capitalized. On the other hand, I'm not sure I could recite some of my Diceware passwords without confusing homophones, pluralization, etc.
If the password database is stolen, a strengthener like PBKDF2 would add a word or more to to the effective length of one of these passwords, but many sites don't use it. 5 words + one for the strengthener would yield some 66 bits, which is probably too big for a rainbow table. This puts you well out of range of casual attackers, so unless you have something really important on your account you should be fine.
In sum, Diceware-type passwords are ideal for things you type occasionally, but not necessarily every day. If you use a password every day, then Diceware would work, but a
strings /dev/urandompassword will be shorter and you should be able to memorize it anyway. If you log in rarely, then choose a password in any way you like, toss it into your password manager (which you should use for the more commonly-used passwords too), and forget it.
If a site has some odd restriction, like "no spaces, at least one upper-case letter and at least one number", then string the words together with 5s between them and cap the first letter. This loses epsilon entropy for Diceware and none for Randall's scheme.
I think you overestimate the ability for the average person to memorize random data.
For your password database, you should use a salt anyway, so rainbow tables are of no use.
Example output of `strings -n 10 /dev/urandom` has stuff like `t!AF|r)WlB`, `<^p!*P,gvv` and `-WAWkG;]%>(`. Are you *really* claiming that you can *remember* any of those? The `correct horse battery staple beer` sounds like a winner to me and still has roughly the same entropy.
The Mnemonic word list has 1626 words (entropy: 10.66 bits/word) with average length of 5.76 chars (4-7 chars/word). All words are real, internationally recognizable and phonetically different. As a non-native English speaker I find them quite easy to understand. About Diceware: I use Diceware method with Finnish word list to generate passphrases that I type many times every day at my work (the length is not a problem for me). The Finnish word list is much better than the original because all words are real and there is much less oddities.