noteworthy wrote:
Can you explain your advice that "the stranger the word the better" in the context of this password generation scheme?

I agree that your random password generator is the best approach.

Basically, the size of the dictionary has an influence on the effectiveness of this scheme.

The cartoon assumes a dictionary with 2048 words. Thats a fair estimate of the vocabulary that people use in typical speech.

Vocabulary seems to obey a power law, where words like "you" are used frequently and words like "vocabulary" are used more rarely.

As a cracker, I'm going to start with a dictionary that is sorted by word use frequency, based on the assumption that people are not going to use your random password generator, they are going to pick four words, and they are most likely to pick four common words.

As a pasword picker, if I can pick a word that is the 3,000th most common word, without my attacker being able to assume that this is what I've done, the amount of work required to guess my password is much larger than if I were to pick a bunch of words that are within the 250 most commonly used words in the English language.

Surprisingly, to me at least, while "correct" and "horse" show up in lists of common english words, "battery" and "staple" do not. So this might be easier than it sounds.

Adding addition words is also useful. Although XKCD lists 2^44 as hard to crack, the typical "gold standard" is DES, 2^54, which requires either 5 words or big dictionaries. Six words will get you to 2^64,
the real entropy that people incorrectly ascribe to 8 character DES passwords. You'll have to remember 11 words to get to 2^128.

RE: xkcd: Password Strength