How-To Geek

XKCD’s Take On Password Difficulty

The more difficult to crack password doesn’t have to be the most difficult to remember; XKCD humorously illustrates the power of entropy.

On a more serious note, if you’re looking to increase your password strength and variety, make sure to check out our roundup of password best practices.

[via XKCD]

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 06/8/12

Comments (7)

  1. Jim

    lastpass w/ 2 factor google authentication.

    that is all.

  2. Ted Lilley

    The XKCD method is actually mathematically the same or worse than a long password that draws from a combination of both upper- and lower-case letters, numbers and symbols. The truth is, any method that constrains the domain of the source symbols can be attacked with an intelligent cracking method. A dictionary-word method can crack correcthorsebatterystaple just as quickly as a rainbow method can crack a normal password.

  3. Brown Bear

    hmmm… XKCD’s Takey Ony Passwordy Difficult

  4. Mats Svensson

    Are there many important sites around that accepts 1000 failed log in attempts /sec to the same account without protesting or choking?

  5. Anonymous

    I guess some of us missed the humor here?

    One of the points I saw was that at least (some/most) people are using passwords which is only slightly better than just pressing the enter key.

    The humor I see is that you apparently need a computer to make your passwords hard to crack. A rather funny illustration of how good passwords would seem somewhat redundant. I mean, does it really take the use of a computer to protect your info from a computer? Answer: probably not, but only if you’re a smart human.


  6. &

    Further to Mats Svensson’s post, I’ve never understood why security software doesn’t, as a matter of course, insert a small delay after each incorrect attempt. (I know some does, but it seems most doesn’t). I don’t think most users would mind (or even notice) a delay of, say, 5 seconds, but it would mean even relatively weak 4-digit numeric PIN would take many hours (on average, of course) to crack using brute force methods.

    Or am I missing something?

  7. Dom

    I often see, and have received information in information security oriented courses in college that this method less secure than a more complex password, and to some extent that is correct. A password like ‘appleorangehorsebanana’ rates pretty high on a scale of secure passwords when length is taken into account, but, as Ted Lilley said, a similarly long, more complex password is more secure.

    The problem with that argument, and an absurd number of security arguments in general, is that everybody making such claims is that they assume preexisting knowledge of the victim’s password complexity. No dictionary list is going to have every combination of words possible, and as long as the words are randomly chosen, brute forcing will be the most likely method for cracking it. Not knowing the exact parameters of the password, the attacker must assume a level of complexity was used and the length will be the key security feature of the passphrase.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!