<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://www.explainxkcd.com/wiki/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=94.69.229.140</id>
		<title>explain xkcd - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://www.explainxkcd.com/wiki/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=94.69.229.140"/>
		<link rel="alternate" type="text/html" href="https://www.explainxkcd.com/wiki/index.php/Special:Contributions/94.69.229.140"/>
		<updated>2026-07-09T17:46:37Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.30.0</generator>

	<entry>
		<id>https://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&amp;diff=13240</id>
		<title>936: Password Strength</title>
		<link rel="alternate" type="text/html" href="https://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&amp;diff=13240"/>
				<updated>2012-09-23T21:40:41Z</updated>
		
		<summary type="html">&lt;p&gt;94.69.229.140: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{comic&lt;br /&gt;
| number    = 936&lt;br /&gt;
| date      = August 10, 2011&lt;br /&gt;
| title     = Password Strength&lt;br /&gt;
| image     = password_strength.png&lt;br /&gt;
| imagesize = &lt;br /&gt;
| titletext = To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
==Explanation==&lt;br /&gt;
This comic is saying that the password in the top frames &amp;quot;Tr0ub4dor&amp;amp;3&amp;quot; is easier for password cracking software to guess than &amp;quot;correcthorsebatterystaple&amp;quot;.  And this is absolutely true that people make passwords hard to remember because that means that they are &amp;quot;safer&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
It is certainly true that length, all other things being equal, tends to make for very strong passwords and this can confirmed by using [http://rumkin.com/tools/password/passchk.php rumkin.com's password strength checker][1]. Even if the individual characters are all limited to [a-z], the exponent implied in &amp;quot;we added another lowercase character, so multiply by 26 again&amp;quot; tends to dominate the results.&lt;br /&gt;
&lt;br /&gt;
Now, what is not clearly addressed:&lt;br /&gt;
* Will these passwords have to be ''entered manually''? And if so, how difficult is it, mechanically, to enter a each character of the password? On a keyboard it's easy, but on a smartphone or console... not so much.&lt;br /&gt;
* How easy are these passwords to ''remember''? &lt;br /&gt;
* How sophisticated are the password attacks? In other words, will they actually attempt common schemes like &amp;quot;dictionary words separated by spaces&amp;quot;, or &amp;quot;a complete sentence with punctuation&amp;quot;, or &amp;quot;leet-speak numb3r substitution&amp;quot; as implied by xkcd?&lt;br /&gt;
&lt;br /&gt;
Steve Gibson from the Security Now podcast did a lot of work in this arena and found that this password &amp;quot;D0g.....................&amp;quot; is harder to break than this password &amp;quot;PrXyc.N(n4k77#L!eVdAfp9&amp;quot;.  Steve Gibson makes this very clear in his password haystack [https://www.grc.com/haystack.htm reference guide and tester]:&lt;br /&gt;
&lt;br /&gt;
&amp;quot;Once an exhaustive password search begins, '''the most important factor''' is password length!&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The important thing to take away from this comic is that longer passwords are better because each additional character adds much more time to the breaking of the password. That's what xkcd is trying to get through here.  Complexity does not matter unless you have length in passwords.  Complexity is more difficult for humans to remember.  Length is not.&lt;br /&gt;
&lt;br /&gt;
==Transcript==&lt;br /&gt;
&amp;lt;!-- The transcript can be found in a hidden &amp;lt;div&amp;gt; element on the xkcd comic's html source, with id &amp;quot;transcript&amp;quot;.&lt;br /&gt;
  -- Tip: Use colons (:) in the beginning of lines to preserve the original line breaks. &lt;br /&gt;
  -- Any actions or descriptive lines in [[double brackets]] should be reduced to [single brackets] to avoid wikilinking&lt;br /&gt;
  -- Do not include the title text again here --&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The comic illustrates the relative strength of passwords assuming basic knowledge of the system used to generate them. &lt;br /&gt;
A set of boxes is used to indicate how many bits of entropy a section of the password provides.&lt;br /&gt;
The comic is laid out with 6 panels arranged in a 3x2 grid.&lt;br /&gt;
On each row, the first panel explains the breakdown of a password, the second panel shows how long it would take for a computer to guess, and the third panel provides an example scene showing someone trying to remember the password.&lt;br /&gt;
&lt;br /&gt;
:[The password &amp;amp;quot;Tr0ub4dor&amp;amp;amp;3&amp;amp;quot; is shown in the centre of the panel. A line from each annotation indicates the word section the comment applies to.]&lt;br /&gt;
&lt;br /&gt;
:Uncommon (non-gibberish) base word&lt;br /&gt;
:[Highlighting the base word - 16 bits of entropy.]&lt;br /&gt;
:Caps?&lt;br /&gt;
:[Highlighting the first letter - 1 bit of entropy.]&lt;br /&gt;
:Common Substitutions&lt;br /&gt;
:[Highlighting the letters &amp;amp;#39;a&amp;amp;#39; (substituted by &amp;amp;#39;4&amp;amp;#39;) and both &amp;amp;#39;o&amp;amp;#39;s (the first of which is substituted by &amp;amp;#39;0&amp;amp;#39;) - 3 bits of entropy.]&lt;br /&gt;
:Punctuation&lt;br /&gt;
:[Highlighting the symbol appended to the word - 4 bits of entropy.]&lt;br /&gt;
:Numeral&lt;br /&gt;
:[Highlighting the number appended to the word - 3 bits of entropy.]&lt;br /&gt;
:Order unknown&lt;br /&gt;
:[Highlighting the appended characters - 1 bit of entropy.]&lt;br /&gt;
:(You can add a few more bits to account for the fact that this is only one of a few common formats.)&lt;br /&gt;
&lt;br /&gt;
:~28 bits of entropy &lt;br /&gt;
:2^28 = 3 days at 1000 guesses sec&lt;br /&gt;
:(Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it&amp;amp;#39;s not what the average user should worry about.)&lt;br /&gt;
:Difficulty to guess: Easy.&lt;br /&gt;
&lt;br /&gt;
:[A person stands scratching their head trying to remember the password.]&lt;br /&gt;
:Person: Was it trombone? No, Troubador. And one of the Os was a zero?&lt;br /&gt;
:Person: And there was some symbol...&lt;br /&gt;
:Difficulty to remember: Hard.&lt;br /&gt;
&lt;br /&gt;
:[The passphrase &amp;amp;quot;correct horse battery staple&amp;amp;quot; is shown in the centre of the panel.]&lt;br /&gt;
:Four random common words {Each word has 11 bits of entropy.}&lt;br /&gt;
&lt;br /&gt;
:~44 bits of entropy&lt;br /&gt;
:2^44 = 550 years at 1000 guesses sec&lt;br /&gt;
:Difficulty to guess: Hard.&lt;br /&gt;
&lt;br /&gt;
:[A person is thinking, in their thought bubble a horse is standing to one side talking to an off-screen observer. &lt;br /&gt;
:An arrow points to a staple attached to the side of a battery.]&lt;br /&gt;
:Horse: That&amp;amp;#39;s a battery staple.&lt;br /&gt;
:Observer: Correct!&lt;br /&gt;
:Difficulty to remember: You&amp;amp;#39;ve already memorized it&lt;br /&gt;
&lt;br /&gt;
The caption below the comic reads: Through 20 years of effort, we&amp;amp;#39;ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.&lt;br /&gt;
&lt;br /&gt;
==External Links==&lt;br /&gt;
* Some info were used from the highest voted answer given to the question of &amp;quot;how accurate is this XKCD comic&amp;quot; at StackExchange [http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase]&lt;br /&gt;
* Similarly a question of &amp;quot;how right this comic&amp;quot; is was made at AskMetaFilter [http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so]&lt;br /&gt;
* Also the Wikipedia article on 'Passphrase' is useful [http://en.wikipedia.org/wiki/Passphrase]&lt;br /&gt;
&lt;br /&gt;
{{comic discussion}} &lt;br /&gt;
&amp;lt;!-- Include any categories below this line--&amp;gt;&lt;/div&gt;</summary>
		<author><name>94.69.229.140</name></author>	</entry>

	<entry>
		<id>https://www.explainxkcd.com/wiki/index.php?title=936&amp;diff=13239</id>
		<title>936</title>
		<link rel="alternate" type="text/html" href="https://www.explainxkcd.com/wiki/index.php?title=936&amp;diff=13239"/>
				<updated>2012-09-23T21:21:50Z</updated>
		
		<summary type="html">&lt;p&gt;94.69.229.140: Redirected page to 936: Password Strength&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;#REDIRECT [[936: Password Strength]]&lt;/div&gt;</summary>
		<author><name>94.69.229.140</name></author>	</entry>

	<entry>
		<id>https://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&amp;diff=13238</id>
		<title>936: Password Strength</title>
		<link rel="alternate" type="text/html" href="https://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength&amp;diff=13238"/>
				<updated>2012-09-23T21:19:21Z</updated>
		
		<summary type="html">&lt;p&gt;94.69.229.140: Someone review transcript&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{comic&lt;br /&gt;
| number    = 936&lt;br /&gt;
| date      = &lt;br /&gt;
| title     = Password Strength&lt;br /&gt;
| image     = password_strength.png&lt;br /&gt;
| imagesize = &lt;br /&gt;
| titletext = To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
==Explanation==&lt;br /&gt;
This comic is saying that the password in the top frames &amp;quot;Tr0ub4dor&amp;amp;3&amp;quot; is easier for password cracking software to guess than &amp;quot;correcthorsebatterystaple&amp;quot;.  And this is absolutely true that people make passwords hard to remember because that means that they are &amp;quot;safer&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
The important thing to take away from this comic is that longer passwords are better because each additional character adds much more time to the breaking of the password.&lt;br /&gt;
&lt;br /&gt;
Steve Gibson from the Security Now podcast did a lot of work in this arena and found that this password &amp;quot;D0g.....................&amp;quot; is harder to break than this password &amp;quot;PrXyc.N(n4k77#L!eVdAfp9&amp;quot;.  Steve Gibson makes this very clear in his password haystack [https://www.grc.com/haystack.htm reference guide and tester]:&lt;br /&gt;
&lt;br /&gt;
&amp;quot;Once an exhaustive password search begins, '''the most important factor''' is password length!&amp;quot;&lt;br /&gt;
&lt;br /&gt;
That's what xkcd is trying to get through here.  Complexity does not matter unless you have length in passwords.  Complexity is more difficult for humans to remember.  Length is not. &lt;br /&gt;
&lt;br /&gt;
==Transcript==&lt;br /&gt;
&amp;lt;!-- The transcript can be found in a hidden &amp;lt;div&amp;gt; element on the xkcd comic's html source, with id &amp;quot;transcript&amp;quot;.&lt;br /&gt;
  -- Tip: Use colons (:) in the beginning of lines to preserve the original line breaks. &lt;br /&gt;
  -- Any actions or descriptive lines in [[double brackets]] should be reduced to [single brackets] to avoid wikilinking&lt;br /&gt;
  -- Do not include the title text again here --&amp;gt;&lt;br /&gt;
&lt;br /&gt;
:((The comic illustrates the relative strength of passwords assuming basic knowledge of the system used to generate them. A set of boxes is used to indicate how many bits of entropy a section of the password provides. The comic is laid out with 6 panels arranged in a 3x2 grid. On each row, the first panel explains the breakdown of a password, the second panel shows how long it would take for a computer to guess, and the third panel provides an example scene showing someone trying to remember the password.))&lt;br /&gt;
&lt;br /&gt;
:[The password &amp;amp;quot;Tr0ub4dor&amp;amp;amp;3&amp;amp;quot; is shown in the centre of the panel.&lt;br /&gt;
:A line from each annotation indicates the word section the comment applies to.]&lt;br /&gt;
:Uncommon (non-gibberish) base word&lt;br /&gt;
:[Highlighting the base word - 16 bits of entropy.]&lt;br /&gt;
:Caps?&lt;br /&gt;
:[Highlighting the first letter - 1 bit of entropy.]&lt;br /&gt;
:Common Substitutions&lt;br /&gt;
:[Highlighting the letters &amp;amp;#39;a&amp;amp;#39; (substituted by &amp;amp;#39;4&amp;amp;#39;) and both &amp;amp;#39;o&amp;amp;#39;s (the first of which is substituted by &amp;amp;#39;0&amp;amp;#39;) - 3 bits of entropy.]&lt;br /&gt;
:Punctuation&lt;br /&gt;
:[Highlighting the symbol appended to the word - 4 bits of entropy.]&lt;br /&gt;
:Numeral&lt;br /&gt;
:[Highlighting the number appended to the word - 3 bits of entropy.]&lt;br /&gt;
:Order unknown&lt;br /&gt;
:[Highlighting the appended characters - 1 bit of entropy.]&lt;br /&gt;
:(You can add a few more bits to account for the fact that this is only one of a few common formats.)&lt;br /&gt;
&lt;br /&gt;
:~28 bits of entropy &lt;br /&gt;
:2^28 = 3 days at 1000 guesses sec&lt;br /&gt;
:(Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it&amp;amp;#39;s not what the average user should worry about.)&lt;br /&gt;
:Difficulty to guess: Easy.&lt;br /&gt;
&lt;br /&gt;
:[A person stands scratching their head trying to remember the password.]&lt;br /&gt;
:Person: Was it trombone? No, Troubador. And one of the Os was a zero?&lt;br /&gt;
:Person: And there was some symbol...&lt;br /&gt;
:Difficulty to remember: Hard.&lt;br /&gt;
&lt;br /&gt;
:[The passphrase &amp;amp;quot;correct horse battery staple&amp;amp;quot; is shown in the centre of the panel.]&lt;br /&gt;
:Four random common words {Each word has 11 bits of entropy.}&lt;br /&gt;
&lt;br /&gt;
:~44 bits of entropy&lt;br /&gt;
:2^44 = 550 years at 1000 guesses sec&lt;br /&gt;
:Difficulty to guess: Hard.&lt;br /&gt;
&lt;br /&gt;
:[A person is thinking, in their thought bubble a horse is standing to one side talking to an off-screen observer. &lt;br /&gt;
:An arrow points to a staple attached to the side of a battery.]&lt;br /&gt;
:Horse: That&amp;amp;#39;s a battery staple.&lt;br /&gt;
:Observer: Correct!&lt;br /&gt;
:Difficulty to remember: You&amp;amp;#39;ve already memorized it&lt;br /&gt;
&lt;br /&gt;
:((The caption below the comic reads: Through 20 years of effort, we&amp;amp;#39;ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.))&lt;br /&gt;
&lt;br /&gt;
{{comic discussion}} &lt;br /&gt;
&amp;lt;!-- Include any categories below this line--&amp;gt;&lt;/div&gt;</summary>
		<author><name>94.69.229.140</name></author>	</entry>

	</feed>