Even if an attacker knew that your password was exactly four words from a specific list of only 2048 common words, that password would still be more secure than something like Tr0ub4dor&3
That’s true but in practice it wouldn’t take 60^11 tries to break the password. Troubador is not a random string and all of the substitutions are common ( o -> 0, a ->4, etc. ). You could crack this password a lot easier with a basic dictionary + substitution brute force method.
I’m saying this because I had an assignment that showed this in an college cybersecurity class. Part of our lesson on password strength was doing a brute force attack on passwords like the one in the top of the xkcd meme to prove they aren’t secure. Any modern laptop with an i5 or higher can probably brute force this password using something like hashcat if you left it on overnight.
Granted, I probably wouldn’t use the xkcd one either. I’d either want another word or two or maybe a number/symbol in between each word with alternating caps or something like that. Either way it wouldn’t be much harder to remember.
except it is not troubador. it is troubador, ampersand, digit.
if you know there are exactly two additional characters and you know they are at the end of the string, the first number is really slightly bigger (like 11 times)
once the random appendix is 3 characters or more, the second number wins
and moral of the story is: don’t use xkcd comic, however funny it is, as your guidance to computer security. yes, the comic suggestions are better than having the password on a post-it on your monitor, but this is 21st century ffs, use password wallet.
Even if an attacker knew that your password was exactly four words from a specific list of only 2048 common words, that password would still be more secure than something like
Tr0ub4dor&3
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
No, it would not. 2048 to the power of 4 is significantly less than 60 to the power of 11.
https://www.wolframalpha.com/input?i2d=true&i=Power[2048%2C4]—Power[60%2C11]
That’s true but in practice it wouldn’t take 60^11 tries to break the password. Troubador is not a random string and all of the substitutions are common ( o -> 0, a ->4, etc. ). You could crack this password a lot easier with a basic dictionary + substitution brute force method.
I’m saying this because I had an assignment that showed this in an college cybersecurity class. Part of our lesson on password strength was doing a brute force attack on passwords like the one in the top of the xkcd meme to prove they aren’t secure. Any modern laptop with an i5 or higher can probably brute force this password using something like hashcat if you left it on overnight.
Granted, I probably wouldn’t use the xkcd one either. I’d either want another word or two or maybe a number/symbol in between each word with alternating caps or something like that. Either way it wouldn’t be much harder to remember.
except it is not troubador. it is troubador, ampersand, digit.
if you know there are exactly two additional characters and you know they are at the end of the string, the first number is really slightly bigger (like 11 times)
once the random appendix is 3 characters or more, the second number wins
https://www.wolframalpha.com/input?i2d=true&i=Divide[Power[2048%2C4]%2CPower[256%2C3]*Power[2%2C4]*4*500000]
and moral of the story is: don’t use xkcd comic, however funny it is, as your guidance to computer security. yes, the comic suggestions are better than having the password on a post-it on your monitor, but this is 21st century ffs, use password wallet.