Decius:

I was skeptical about this cartoon at first but after doing a lot of back of the napkin calculations I endorse this idea. BUT, you MUST use four words, and the stranger the word the better.

See also, from 2007, A Secure In-Browser JavaScript Password Generator, (*) referenced on the Cryptography list thread about this comic.

Can you explain your advice that "the stranger the word the better" in the context of this password generation scheme? To my mind, if you follow it to its logical conclusion, you end up with this:

1. Make a list of all the words in the dictionary.
2. Sort the list in descending order of strangeness, such that the "strangest" word in the dictionary is at the top of the list.
3. Select the first four words on the list. These are the strangest words you could possibly choose.

The problem is that everyone has the same password!

Is there an objective function for measuring the strangeness of a word? One option is inverse frequency across a large corpus in the target language.

Even if you relax the constraints a bit -- say, by using a slightly different objective function -- you're still reducing strength when you eliminate dog-sky-house-job from the space of possible passwords.

My advice is to have a trusted computing base choose four words randomly, without being biased by the relative frequency of words in the target language. The average person is probably not very good at unbiased recall of random words from the dictionary. For starters, I'm unlikely to recall a word I've never seen before. Among words I've seen, the probability of recalling a given word will be correlated with the frequency of that term within a large corpus. I'll apply a conscious filter to suppress the most obvious words that come to mind, but I'm still far more likely to recall words from the high-frequency end of the spectrum.

(*) The dictionary in this demonstration has 13k words, and dog, sky, house, and job are all included. If the dictionary is public, then swapping 'job' for 'jawbone' accomplishes nothing. If the dictionary is itself a secret, then filling your dictionary with 13k obscure words may add a few bits of entropy, if the adversary has to brute-force using a bigger dictionary of, say, 52k words. Of course, now you have a (relatively) huge secret to protect, in addition to your password.

noteworthy wrote:
Can you explain your advice that "the stranger the word the better" in the context of this password generation scheme?

I agree that your random password generator is the best approach.

Basically, the size of the dictionary has an influence on the effectiveness of this scheme.

The cartoon assumes a dictionary with 2048 words. Thats a fair estimate of the vocabulary that people use in typical speech.

Vocabulary seems to obey a power law, where words like "you" are used frequently and words like "vocabulary" are used more rarely.

As a cracker, I'm going to start with a dictionary that is sorted by word use frequency, based on the assumption that people are not going to use your random password generator, they are going to pick four words, and they are most likely to pick four common words.

As a pasword picker, if I can pick a word that is the 3,000th most common word, without my attacker being able to assume that this is what I've done, the amount of work required to guess my password is much larger than if I were to pick a bunch of words that are within the 250 most commonly used words in the English language.

Surprisingly, to me at least, while "correct" and "horse" show up in lists of common english words, "battery" and "staple" do not. So this might be easier than it sounds.

Adding addition words is also useful. Although XKCD lists 2^44 as hard to crack, the typical "gold standard" is DES, 2^54, which requires either 5 words or big dictionaries. Six words will get you to 2^64,
the real entropy that people incorrectly ascribe to 8 character DES passwords. You'll have to remember 11 words to get to 2^128.