However, if someone implements a dictionary attack, doesn't that reduce the entropy of "correct horse battery staple" to effectively four? No. The comic was already assuming a dictionary attack. You have to multiply the number of words by the number of bits of entropy per word. This is assumed to be 11 in the comic, which is what you'd get if you chose each word uniformly at random from a list of 2000 words. The passwords generated by VeraCrypt are not the ones the comic is mocking. They're perfectly fine from an entropy standpoint, but problematic if you have to memorize them. It's a subtle but important distinction: the ones the comic is mocking are human-generated passwords made by manipulating words into looking more like VeraCrypt-style strings of random characters, without actually using a random number generator. Answer from Cosmologicon on reddit.com
🌐
xkcd
xkcd.com › 936
xkcd: Password Strength
On each row, the first panel explains ... comment applies to.]] Uncommon (non-gibberish) base word [[Highlighting the base word - 16 bits of entropy.]] Caps?...
Standards
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License · This means you're free to copy and share these comics (but not to sell them). More details
Exploits of a Mom
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License · This means you're free to copy and share these comics (but not to sell them). More details
Earth Temperature Timeline
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License · This means you're free to copy and share these comics (but not to sell them). More details
Ten Thousand
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License · This means you're free to copy and share these comics (but not to sell them). More details
🌐
Reddit
reddit.com › r/xkcd › is "password strength" (still) legit?
r/xkcd on Reddit: Is "Password Strength" (still) legit?
November 15, 2016 -

https://www.xkcd.com/936/

I've heard arguments against it. So is it still legit?

Top answer
1 of 29
449

However, if someone implements a dictionary attack, doesn't that reduce the entropy of "correct horse battery staple" to effectively four?

No. The comic was already assuming a dictionary attack. You have to multiply the number of words by the number of bits of entropy per word. This is assumed to be 11 in the comic, which is what you'd get if you chose each word uniformly at random from a list of 2000 words.

The passwords generated by VeraCrypt are not the ones the comic is mocking. They're perfectly fine from an entropy standpoint, but problematic if you have to memorize them. It's a subtle but important distinction: the ones the comic is mocking are human-generated passwords made by manipulating words into looking more like VeraCrypt-style strings of random characters, without actually using a random number generator.

2 of 29
102

There are 26 letters in the English language. There are more than 170.000 words.

That's why the entropy is way greater with words, and thus fewer words are needed.

"The computer knows all the words"..? ...so? The computer doesn't know the letters?

Discussions
Calculating entropy within xkcd 936: Password Strength - Cryptography Stack Exchange
When I calculate entropy for the xkcd Password Strength (comic 936) I don't get nearly the amount of entropy stated in the comic. So why doesn't the the first password "Tr0ub4dor&3" have an en... More on crypto.stackexchange.com
🌐 crypto.stackexchange.com
September 24, 2018
theory - Password strength (XKCD) - Stack Overflow
I'm wondering if anyone out there would take the time to "dumb" down and explain this XKCD comic for me? I don't understand the entropy part, and why the password that's easy for us (humans) to remember has higher entropy. More on stackoverflow.com
🌐 stackoverflow.com
Could someone explain the xkcd comic that's about entropy and cracking passwords?
http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength More on reddit.com
🌐 r/learnprogramming
30
64
April 21, 2013
passwords - Is "the oft-cited XKCD scheme [...] no longer good advice"? - Information Security Stack Exchange
Passwords are just bits that mean something to humans. ... It's important to have the right context. The xkcd comic compares Tr0ub4dor&3 at an assumed 28 bit entropy (though I calculate it as 34.6) to correcthorsebatterystaple and its assumed 44 bits of entropy (a four word diceware code is ... More on security.stackexchange.com
🌐 security.stackexchange.com
July 10, 2014
🌐
explain xkcd
explainxkcd.com › wiki › index.php › 936:_Password_Strength
936: Password Strength - explain xkcd
This is because the password follows a simple pattern of a dictionary word + a couple extra numbers or symbols, hence the entropy calculation is more appropriately expressed with log2(65000*94*94), with 65000 representing a rough estimate of all dictionary words people are likely to choose. (For related info, see https://what-if.xkcd.com/34/).
🌐
Stack Exchange
crypto.stackexchange.com › questions › 62597 › calculating-entropy-within-xkcd-936-password-strength
Calculating entropy within xkcd 936: Password Strength - Cryptography Stack Exchange
Top answer
1 of 2
23

I don't get nearly the amount of entropy stated in the comic.

Interestingly enough the reasoning for the entropy rating are actually justified in the comic by the little boxes which each represent 1 bit of uncertainty.

This means for Tr0ub4dor&3

  • It's estimatated that the word itself "Troubador" comes up in dictionaries which contain about 216 words
  • It adds one bit for each of o,a,o of the word to encode whether the letter was replaced or not
  • It adds one bit to decide whether the word was capitalized or not
  • It adds one bit for the ordering of the trailing numeral and special character
  • It adds 3 bits for the unknown numeral, approximating 10 with 23 instead of 24 which is more accurate
  • It adds 4 bits for the unknown punctuation, ie which of the approximately 16 standard ones it is

This sums up to 16+3+1+1+3+4=28

For correct horse battery staple the reasoning is that each of the four words is drawn from a dictionary of size 211 which means 4×11=44 bits of entropy.

In both cases it can be assumed that the attacker knows the possible choices influencing the entropy estimation and that it's actually a uniformly random decision which word / pick is done.

If you want an even more thorough explanation of this comic, I can only recommend you read the bear's answer on this over on InfoSec.SE.

2 of 2
2

One official way to estimate the strength of a user selected password such as "Tr0ub4dor&3" is to look at NIST recommendations. Granted that this is now deprecated, but the relevant publication was NIST Special Publication 800-63 Version 1.0.2, Electronic Authentication Guideline.

Table A.1 (reproduced below in case of link rot):-

The reasoning behind this table is within the document at § A.2.1 Guessing Entropy Estimate. NIST therefor estimates that the entropy is 33 bits if we interpolate for 11 characters and use dictionary and composition rules.

The difficulty of assessing the entropy of short sequences, particularly human produced ones is the take away from this question. The two current answers diverge in strength by a factor of 32. If we compare NIST's estimate to Blafasel's original query on 50 bits, the entropy diverges 131,072 times. NIST says of the above, "Readers are cautioned against interpreting the following rules as anything more than a very rough rule of thumb method". True.

Another take away is that very few sites will allow the stronger and easier to remember technique of choice from a word list, such as "correcthorsebatterystaple". The on-line version of the UK government doesn't, no bank I'm aware of does, and stackexchange.com doesn't.

🌐
xkcd
xkcd.com › 792
xkcd: Password Reuse
>| Permanent link to this comic: https://xkcd.com/792/ Image URL (for hotlinking/embedding): https://imgs.xkcd.com/comics/password_reuse.png · [[A man is sitting facing a computer, Hat man is standing behind him.]] Hat man: Password entropy is rarely relevant.
🌐
Stack Overflow
stackoverflow.com › questions › 23834902 › password-strength-xkcd
theory - Password strength (XKCD) - Stack Overflow
Top answer
1 of 2
4

There is a own wiki just dedicated to explain xkcd comics http://www.explainxkcd.com The explanation for this particular comic can be found here: http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

2 of 2
-3

first off (FYI) computer guesses are based of how common and how long a phrase is, but human memory is based on how complex and long something is.

Basically what this comic is making fun of is that common 'good password criteria' has made passwords more complicated but it has to be short to be remembered. But the 'good password' criteria has made more complicated sequences more common. This means that four common medium length words are less common and longer than normal meaning a better password. Basically what was rare(short complex patterns) is now common making what was common (med-long length phrases) rare.

🌐
Unix-ninja
unix-ninja.com › p › your_xkcd_passwords_are_pwned
Your xkcd passwords are pwned
December 4, 2019 - However, previously set standards ... the source list, which is defined as a minimum of log2(6^5) words, and each word selected adds ~12.9 bits of entropy....
Find elsewhere
🌐
Hacker News
news.ycombinator.com › item
Anyone using this comic to imply that a passphrase is more secure than a short r... | Hacker News
March 3, 2013 - The example passphrase does have the equivalent of 44 bits of entropy: · log_2 (2048^4) = 4 * 11 = 44
🌐
Reddit
reddit.com › r/learnprogramming › could someone explain the xkcd comic that's about entropy and cracking passwords?
r/learnprogramming on Reddit: Could someone explain the xkcd comic that's about entropy and cracking passwords?
April 21, 2013 -

http://xkcd.com/936/ <-- That's the comic I'm talking about.

Where are the extra bits coming from in the first password? Are they coming from the special characters?

What does entropy mean in this case?

I googled the definition: "Lack of order or predictability; gradual decline into disorder." Is that kinda what it means in this case as well?

If you could explain it like I'm a stupid person, I'd appreciate it.

Top answer
1 of 5
43
http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength
2 of 5
15
Which set of bits are you uncertain about in the first frame? He puts them next to the source for each set of bits. 16 for an english base word, 1 for being followed by either a punctuation then number, or number then punctuation. 3 bits for that number, and 4 for that symbol, 3 bits worth of common number-> letter substitutions and 1 bit for a possibly capitalized first letter. The entropy he's talking about is this one . It's often a measure of how much possible information can be contained in a given message, in this case it's the key space of the possible passwords that are generated by the algorithm you used to pick a password. (in this case, pick an english word, make some substitutions and puts a symbol/number combo on the end). The other extra bits he mentions would be to cover the common algorithms people use for password generation similar to this one. *edit correcting 8 bits to 16 because I forgot to double after counting one row. >.>
🌐
xkcd
xkcd.com › 538
xkcd: Security
>| Permanent link to this comic: https://xkcd.com/538/ Image URL (for hotlinking/embedding): https://imgs.xkcd.com/comics/security.png · A Crypto nerd's imagination: Guy [[Holding Laptop]]: His laptop's encrypted. Let's build a million-dollar cluster to crack it. Other guy: No good! It's 4096-bit RSA! Guy: Blast! Our evil plan is foiled! What would actually happen: Guy [[Holding money tag and wrench]]: His laptop's encrypted. Drug him and hit him with this $5 wrench until he tells us the password.
🌐
Garybell
garybell.co.uk › everything-you-know-about-security-is-probably-wrong
Everything you know (about security) is (probably) wrong!
November 18, 2020 - Entropy is calculated as log2(R^L), where R is the pool of unique characters, and L is the length of the password. Pools of characters get added together, so the password cD3! gets an R number 26+26+10+32=94.
🌐
Fractional CISO
fractionalciso.com › home › password advice – xkcd
Password Advice - xkcd | Virtual CISO
February 6, 2019 - You are better off if you stick with a fourteen plus unrelated character password. Your passwords will be much stronger and you will be better protected. A password manager can help you achieve this goal. Permission to reprint xkcd comic is generously provided under https://xkcd.com/license.html Thanks, xkcd.
🌐
explain xkcd
explainxkcd.com › wiki › index.php › Talk:936:_Password_Strength
Talk:936: Password Strength - explain xkcd
When numbers are required, pick something that has significance to you (your birthday, the resolution of your television, ect.). Keep in mind that, if your phrase is an actual sentence, the password entropy is 1.1 bits per character (http://what-if.xkcd.com/34), so length is key if you want ...
🌐
Palant
palant.info › 2023 › 01 › 30 › password-strength-explained
Password strength explained | Almost Secure
January 30, 2023 - You are lucky if you get to 20 bits of entropy this way. Now it’s hard to tell how quickly real password crackers will narrow down on a particular password. One can look at all the patterns however that went into a particular password and estimate how many bits these contribute to the result. Consider this XKCD ...
🌐
Correcthorse
correcthorse.pw
Correct Horse Battery Staple: xkcd-Style Password Generator
Click the Generate button to generate a new password · We tend to associate secure passwords with complicated and hard-to-remember passwords. But it doesn't have to be this way. We make password difficult to guess by increasing entropy — the degree of uncertainty in the password.
🌐
Stack Exchange
security.stackexchange.com › questions › 62832 › is-the-oft-cited-xkcd-scheme-no-longer-good-advice
passwords - Is "the oft-cited XKCD scheme [...] no longer good advice"? - Information Security Stack Exchange
Top answer
1 of 10
236

The Holy War

I think you will find that the correct way to generate passwords could start a holy war where each group thinks the other is making a very simple mathematical mistakes or missing the point. If you get 10 computer security professionals in a room and ask them how to come up with good passwords you will get 11 different answers.

The Misunderstanding

One of the many reasons there is no consistent advice about passwords is it all comes down to an issue of threat modeling. What exactly are you trying to defend against?

For example: are you trying to protect against an attacker who is specifically targeting you and knows your system for generating passwords? Or are you just one of millions of users in some leaked database? Are you defending against GPU based password cracking or just a weak web server? Are you on a host infected with malware[1]?

I think you should assume the attacker knows your exact method of generating passwords and is just targeting you.[2] The xkcd comic assumes in both examples that all the details of the generation are known.

The Math

The mathematics in the xkcd comic is correct, and it's not going to change.

For passwords I need to type and remember I use a python script that generates xkcd style passwords that are truly random. I have a dictionary of 2^11 (2048) common, easy to spell, English words. I could give the full source code and a copy of my list of words to an attacker, there are still going to be 2^44 possible passwords.

As the comic says:

1000 Guesses / Sec Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about.

That strikes a nice balance between easy to remember and difficult to crack.

What if we tried more power?

Sure 2^44 is ok, but GPU cracking is fast, and it's only going to get faster. Hashcat could crack a weak hash[3] of that size in a number of days, not years. Also, I have hundreds of passwords to remember. Even xkcd style it gets hard after a few.

This is where password managers come in, I like KeePass but there are many others that are basically the same. Then you can generate just one longer xkcd pass-phrase that you can memorize (say 10 words). Then you create a unique 128-bit truly random password for each account (hex or base 64 are good). 128-bits is going to be strong enough for a long time. If you want to be paranoid go larger, it's no extra work to generate 256-bit of hex passwords.

[1] This is where the memory thing comes in, if you're on a compromised host you have lost. It doesn't matter if you type it or use a program like KeePass to copy and paste it if an attacker can key-log / read memory.

[2] Rather than the weaker (but more likely) assumption that the attacker has just torrented a dictionary called "Top Passw0rdz 4realz 111!".

[3] Sure we should all be using PBKDF2, etc... but lots of sites are still on SHA1. (and they are the good ones)

2 of 10
167

Schneier writes this:

This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

but the key to understanding what he is really after is a little further in his essay:

There's still one scheme that works. Back in 2008, I described the "Schneier scheme"

so that's it. Ole' Bruce wants to assert that his scheme is the One and Only, the best, the winner, the ultimate scheme. Therefore, he needs to say disparaging things about the "competitors", regardless of whether such assertions are scientifically sound or not.

In this case, it has always been assumed that the password generation method is known to the attacker. That's the whole point of entropy computations; see the analysis. That attackers are "on to this trick" changes nothing at all (when an attacker knows the password generation method, the entropy computation describes exactly the password strength; when the attacker is incompetent and does not know the password generation method, the password strength is only higher, by an amount which is nigh impossible to quantify).

The quip about "passwords in memory" is just more incoherent ramblings. Passwords necessarily go to RAM at some point, whether you type them or copy-paste them from a password safe, or anything similar.

My guess is that Bruce was drunk.

Update Schneier was specifically asked to comment about his passphrase condemnation in a Reddit AMA (via archive.org, original link) that took place August 2, 2016. He continued to advocate for his password creation system as a superior alternative to random word passphrases. Schneier did say his scheme "gives you more entropy per memorizable character than other methods" which is true when compared to characters making up words. But this is also irrelevant when a system relies on memorizing words rather than characters, and you're allowed to combine enough words to generate adequate 'entropy' for your passphrase as a whole.

🌐
Lobsters
lobste.rs › s › x6bt1h › xkcd_s_correcthorsebatterystaple
XKCD's "correcthorsebatterystaple" password can be cracked in less than 0.01 seconds | Lobsters
Ultimately, you'll only need five passwords (the firmware password to boot a device, the encryption passphrase for the volume encryption, the user authentication password when logging in and unlocking the screen, the password manager master passphrase and the passphrase for the backup volumes that contains your password manager database and other backups). ... For a dictionary of 235886 words, the four-word "correcthorsebatterystaple" requires (235886^4)/(2^70) ~ 2.6 million US dollars. So what? Just make it six words. By the way, where does this 1197962070743187 number come from? ... Indeed, this also goes to point 1, that the entropy is hard to figure out. The XKCD comic indicated that it was using a 2048 (2^11) word dictionary, which apparently is about the size of the dictionary some cryptocurrency wallets use.
🌐
Medium
medium.com › faraday › password-strength-4e9d05d49bba
Password strength. What XKCD passwords comic teaches us… | by Faraday Team | Faraday | Medium
May 12, 2022 - This blind spot causes a weakness: hard to remember passwords must be written somewhere, and they tend to make users “recycle” the same password in more than one account. Finally, a solution emerges from an integral understanding of the problem: The computer science side (specifically, combinatorics and Shannon’s entropy) shows that an increase in the number of characters increases unpredictability at an even higher rate than the introduction of punctuation and unusual symbols.
🌐
Xkpasswd
xkpasswd.net
xkpasswd - a secure, memorable password generator
Website and underlying password generation library (XKPasswd.pm) by Bart Busschots. Banner by Stu Helm (incorporating artwork from the XKCD Web Comic).
🌐
Michael Koby
mkoby.com › 2011 › 08 › 15 › xkcd-password-security
XKCD & Password Security | Michael Koby
August 15, 2011 - You have an entire paragraph on how hackers really hack passwords, but that’s what the XKCD comic assumes in the first place – bruteforcing a hash using whatever is the best method available (in the example of the comic with 1000 tries per second). The comic even assumes that the hacker knows he’s looking for a specific word permutation and a set of dictionary words and not just random characters. So there’s no contradiction here. Basically the comic says it’s entropy that matters, not password length or how hard it is to remember.
Related queries
xkcd password reuse
xkcd 936 explanation
xkcd password generator
is xkcd password strength true
password entropy calculator
xkcd password reddit
xkcd password wrench
xkcd password hammer