http://xkcd.com/936/

And if so, why is everyone else on the planet wrong?

That is rather interesting. I won't change my password strategy because there is no need to but if I were to, I would consider this strategy.

It makes a lot of assumptions to try to prove a point but yeah if you formatted your passwords exactly like described in the comic and they knew you formatted your password exactly like that then it would be easier to crack. That said most people do just use one word in leet speak and think they are good. Mine are sorta like that but with more variables that would make it much harder.

Even then looking at the comic it seems off in how it accounts for the variables. For example they assign 3 bits for common substitutions when in reality it could be more than that since there are more possible substitutions and some words have more substitutable letters than others. A word with more 'leetable' letters would be considerably harder.

A random string of words works if it is truly random otherwise a little knowledge about the user or their environment could build a pretty solid dictionary or even a common dictionary style attack. That of course assumes you know roughly how many words are used too but that could be guessed, or at least restricted, based on password length requirements for the system in question.

 

-----signature-----

http://www.codinghorror.com/blog/2005/07/passwords-vs-pass-phrases.html

I'd say its correct in the general idea, though it may be a bit off on the math the theory is sound.

Its mostly academic anyway. Any *reasonable* login will cut you off after 10 or so attempts, so your ability to try a massive number of passwords is pathetic. The calculations all assume you can do the attempts instantly.

As a side note, I see your comic about password security and raise you:

http://xkcd.com/538/

^ lol

More or less correct, but as someone already pointed out just about everything limits you number of wrong replies.

After 4-5 guesses they either lock your account or you get those image verification thingies.

 

-----signature-----

Guesswork is so last season where password hacking is concerned. Far better to steal the entire password database instead - and in those circumstances the idea of one password being "strong" while another password is "weak" is a joke.

Sadly this, which is why FDE is so much so a requirement.

You should be getting your passwords from this, or something like it.

 

-----signature-----

The best thing you can do is not use the same password everywhere, even vary your account name if that worried. And make sure you try not to use any personal info when creating the passwords.

This limits the damage of a compromised account to just that location.

 

-----signature-----

Depends on how the password was stored. Proper hash + salt is going to at least make it prohibitive to recover passwords from a database dump. And I'm not talking an MD5.