Four words is too low these days to protect against gpu bruteforcing
Got a source on that?
Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.
8 character a-zA-Z is 45 bits of entropy (log2(56^8), about the same as the XKCD password if you take from a 2048 word list. That's crackable in a minute on AWS.
Password hashes get frequently stolen, don't rely on rate limiting if it's something you really care about.
Sure, but the average English speaker knows way more than 2048 words. Let's not forget about case sensitivity, made-up or "inside joke" words, names, and specific industry vocabulary.
Even if you take four words of a 30000 word list (quick Google says that's the number of words an average person knows), that's still less bits of entropy than a 5 word diceware password (7776 word list). People are also really bad at randomness, so your own string of random words is likely going to be much worse.
Thanks for the explanation. What's diceware?
It's the concept of literally using a die to choose with randomness (humans are terrible at trying to be random); a link with details is in a previous comment.
Four words is too low these days to protect against gpu bruteforcing
Got a source on that?
Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.
https://thesecurityfactory.be/password-cracking-speed/
8 character a-zA-Z is 45 bits of entropy (log2(56^8), about the same as the XKCD password if you take from a 2048 word list. That's crackable in a minute on AWS.
Password hashes get frequently stolen, don't rely on rate limiting if it's something you really care about.
Here are the dice ware recommendations on the number of words: https://theworld.com/%7Ereinhold/dicewarefaq.html#howlong
Sure, but the average English speaker knows way more than 2048 words. Let's not forget about case sensitivity, made-up or "inside joke" words, names, and specific industry vocabulary.
Even if you take four words of a 30000 word list (quick Google says that's the number of words an average person knows), that's still less bits of entropy than a 5 word diceware password (7776 word list). People are also really bad at randomness, so your own string of random words is likely going to be much worse.
Thanks for the explanation. What's diceware?
It's the concept of literally using a die to choose with randomness (humans are terrible at trying to be random); a link with details is in a previous comment.
Thanks.
https://theworld.com/~reinhold/diceware.html
Thanks.
That only works if someone already has access to a system's password database.