It’s easier for you to remember but it’s really long. Adding more characters to a password exponentially increases the potential combinations that a brute force attack would have to go through. If you search “how long to brute force password” you will see that adding just a few more characters to a password can add years and years to the time it would take to break in like that. Having a password you can memorize is also more secure because anyone who has access to your computer also has your password if it’s written down there.

It’s not. This is an extremely widespread misconception and the xkcd on this is wrong.

Password cracking isn’t done by brute force. There are a ton of statistics involved that determines which patterns should be prioritized to hash and compare.

In a dictionary attack, 3 random words is a low entropy sequence. This is because while on a character by character basis, the entropy is high, in a dictionary attack, each word is a symbol, and 3 symbols is not a lot even though there are lot of words in the dictionary.

It’s not. This is an extremely widespread misconception and the xkcd on this is wrong.

Password cracking isn’t done by brute force. There are a ton of statistics involved that determines which patterns should be prioritized to hash and compare.

In a dictionary attack, 3 random words is a low entropy sequence. This is because while on a character by character basis, the entropy is high, in a dictionary attack, each word is a symbol, and 3 symbols is not a lot even though there are lot of words in the dictionary.

It’s not. This is an extremely widespread misconception and the xkcd on this is wrong.

Password cracking isn’t done by brute force. There are a ton of statistics involved that determines which patterns should be prioritized to hash and compare.

In a dictionary attack, 3 random words is a low entropy sequence. This is because while on a character by character basis, the entropy is high, in a dictionary attack, each word is a symbol, and 3 symbols is not a lot even though there are lot of words in the dictionary.

I don’t know that it is. Password strength is based on how many tries it would take someone to guess your password. The simplest way to guess is to try every possible combination: “A” then “B” then “C” and after awhile guess “AA”, then “AB”… This is called “Bruit Force” and is used because following that pattern, eventually all passwords will be guessed. The downside of bruit force is that as passwords get longer the more tries it takes to guess the password. For example, if your password is 1 character long then there are only about 250 possible passwords to guess (all characters numbers and symbols). A computer can try all of them in a fraction of a second. If your password is 2 characters long, then there are about 250 * 250 or 62,500 possible passwords. still something a modern computer can do in under a second. Add a third character to your password and now you’re up to 62,500 * 250 possible passwords that have to be tried and you can see how as you add characters it gets a lot more difficult for even a powerful computer to try all the combinations. if your password is 10 characters long, then a hacker would have to try 250 raised to the power of 10–an exceptionally daunting task. The challenge with long passwords is that it gets increasingly harder to remember a long string of characters. One way to help remember a longer password is to use words: “4gx91pL$2ax7” is really hard to remember, but “GoldFishBowl” is pretty easy. A bruit force would need to try 250 raised to the 12 power passwords before it is guaranteed to find that password. But knowing that someone is using words and not any random character allows a hacker to reduce the number of passwords he has try. If he knows that you are using only upper and lower case characters the number of passwords can be reduced: 26 upper case letters, 26 lower case letters = 52 possible characters per length. The number of passwords he has to try is now 52 raised to the power of 12 guesses to find the “GoldFishBowl” password. Still a big number, but vastly smaller than the random list of characters. But a hacker can take that a bit further. If he knows that you are using words he can just try combinations of English words (or whatever language you speak). There’s no more than about 4,000 common words in a given language. If the hacker knows you use a combination of three words all he has to do is sort through all those combinations: 4,000 * 4,000 * 4,000 or about 64 billion passwords–Sounds big, but a modern computer can probably crank through that in few days or weeks. One final issue is that humans are really predictable in generating passwords. They use things like birthdays, common pet names, names of sports teams. There are lists available on the net that have the statistically most common passwords to try. If you use such a predictable password, you might as well be using a single character password because a hacker can guess it in the same amount of time.

Because of this:

Let’s say X and Y are two numbers, where X is greater than Y.

Most of the time, X^Y is smaller than Y^X, as in these examples:

5^2 = 10, 2^5 = 32

10^2 = 100. 2^100 ~= 1267650600000000000000000000000 (ish)

So imagine taking an 8 character password from an alphabet of, say, 80 characters (26 lowercase letters + 26 uppercase letters + 10 digits + about 14 punctiation marks).

That’s 80^8 combinations.

But imagine taking only a 3 character password, but from an alphabet with 50,000 letters in it.

That’s 3^50 combinations.

It turns out that 3^50 is waaay bigger than 80^8 is. By a LOT.

And when you think of it, if you take a person with a 50,000 word English vocabulary, and ask them to cram 3 English words together, that’s essentially what you’re doing. 3 “letters” where each “letter” is taken from an “alphabet” of 50,000.

I don’t know that it is. Password strength is based on how many tries it would take someone to guess your password. The simplest way to guess is to try every possible combination: “A” then “B” then “C” and after awhile guess “AA”, then “AB”… This is called “Bruit Force” and is used because following that pattern, eventually all passwords will be guessed. The downside of bruit force is that as passwords get longer the more tries it takes to guess the password. For example, if your password is 1 character long then there are only about 250 possible passwords to guess (all characters numbers and symbols). A computer can try all of them in a fraction of a second. If your password is 2 characters long, then there are about 250 * 250 or 62,500 possible passwords. still something a modern computer can do in under a second. Add a third character to your password and now you’re up to 62,500 * 250 possible passwords that have to be tried and you can see how as you add characters it gets a lot more difficult for even a powerful computer to try all the combinations. if your password is 10 characters long, then a hacker would have to try 250 raised to the power of 10–an exceptionally daunting task. The challenge with long passwords is that it gets increasingly harder to remember a long string of characters. One way to help remember a longer password is to use words: “4gx91pL$2ax7” is really hard to remember, but “GoldFishBowl” is pretty easy. A bruit force would need to try 250 raised to the 12 power passwords before it is guaranteed to find that password. But knowing that someone is using words and not any random character allows a hacker to reduce the number of passwords he has try. If he knows that you are using only upper and lower case characters the number of passwords can be reduced: 26 upper case letters, 26 lower case letters = 52 possible characters per length. The number of passwords he has to try is now 52 raised to the power of 12 guesses to find the “GoldFishBowl” password. Still a big number, but vastly smaller than the random list of characters. But a hacker can take that a bit further. If he knows that you are using words he can just try combinations of English words (or whatever language you speak). There’s no more than about 4,000 common words in a given language. If the hacker knows you use a combination of three words all he has to do is sort through all those combinations: 4,000 * 4,000 * 4,000 or about 64 billion passwords–Sounds big, but a modern computer can probably crank through that in few days or weeks. One final issue is that humans are really predictable in generating passwords. They use things like birthdays, common pet names, names of sports teams. There are lists available on the net that have the statistically most common passwords to try. If you use such a predictable password, you might as well be using a single character password because a hacker can guess it in the same amount of time.

in password cracking, each additional character exponentially increases the time required to crack the hashed password.

Because of this:

Let’s say X and Y are two numbers, where X is greater than Y.

Most of the time, X^Y is smaller than Y^X, as in these examples:

5^2 = 10, 2^5 = 32

10^2 = 100. 2^100 ~= 1267650600000000000000000000000 (ish)

So imagine taking an 8 character password from an alphabet of, say, 80 characters (26 lowercase letters + 26 uppercase letters + 10 digits + about 14 punctiation marks).

That’s 80^8 combinations.

But imagine taking only a 3 character password, but from an alphabet with 50,000 letters in it.

That’s 3^50 combinations.

It turns out that 3^50 is waaay bigger than 80^8 is. By a LOT.

And when you think of it, if you take a person with a 50,000 word English vocabulary, and ask them to cram 3 English words together, that’s essentially what you’re doing. 3 “letters” where each “letter” is taken from an “alphabet” of 50,000.

Because of this:

Let’s say X and Y are two numbers, where X is greater than Y.

Most of the time, X^Y is smaller than Y^X, as in these examples:

5^2 = 10, 2^5 = 32

10^2 = 100. 2^100 ~= 1267650600000000000000000000000 (ish)

So imagine taking an 8 character password from an alphabet of, say, 80 characters (26 lowercase letters + 26 uppercase letters + 10 digits + about 14 punctiation marks).

That’s 80^8 combinations.

But imagine taking only a 3 character password, but from an alphabet with 50,000 letters in it.

That’s 3^50 combinations.

It turns out that 3^50 is waaay bigger than 80^8 is. By a LOT.

And when you think of it, if you take a person with a 50,000 word English vocabulary, and ask them to cram 3 English words together, that’s essentially what you’re doing. 3 “letters” where each “letter” is taken from an “alphabet” of 50,000.