Ironically, that xkcd strip is crap advice. A dictionary attack breaks a mere four English words in half a jiffy. This approach should be enforced to a 9-10 word minimum.
To offer a slightly more accurate measure than "half a jiffy", this article (published on May 9, 2022) lists the costs involved for different types of passwords and password lengths:
Clocking in at a cracking cost of 79 million USD, for most intents and purposes, even a rather trivial 56-bit entropy password such as "align-caught-boycott-delete" (or "correct horse battery staple", for that matter) would be prohibitively expensive to break.
In the case of PBKDF2 it hinges on what PRF and how many rounds. As an example, WPA2 uses PBKDF2 with an HMAC and accompanying parameters to the tune of a single upper-tier consumer GPU being able to test just over a million passwords per second through hashcat. Realistically you will find the password long before you're close to the end of the key space.
I don't know what 2^43 would equate (four of the 1500 most common English words?), but an A100 GPU cluster at AWS would be a good starting point. I know, it's beyond the scope of you, me, and the neighbor kid. What I'm trying to get across is that short dictionary passwords have several innate vulnerabilities. They shouldn't be considered "long complicated passwords" until they're actually long.
Maybe you can correct my math. English has something like 500,000 words, but adults who speak it natively know 20,000 - 35,000[1]. If we cut that down to 10,000 to be conservative, that's still 10,000,000,000,000,000
(10 quadrillion) combinations at four words in a password. That's not including any capitalization, special characters between words, etc., just the stock XKCD "four random English words".
No provider is going to let anyone try that many combinations against a login API, but let's consider the case where the hashes have been captured. Hashcat on a Radeon RX 6650 can test about 30 billion MD5 hashes per second, about 200,000 sha512crypt hashes per second, about 500,000 MacOS PBKDF2 passwords per second, and about 32,000 bcrypt hashes per second.[2][3]
To brute-force the "four random English words" space for a single password, I therefore calculate:
MD5: 333,333 seconds (a little under 4 days)
sha512crypt: 50,000,000,000 seconds (578,703 days, or 1,585 years)
Mac OS PBKDF2: 2,000,0000,000 seconds (231,481 days, or 634 years)
bcrypt: 312,500,000,000 seconds (3,616,898 days, or 9909 years)
No one recommends storing passwords as MD5 hashes anymore, but that's the fastest algorithm Hashcat supports. When using the kind of hash that information security specialists tend to recommend these days, it seems like the XKCD method is still pretty safe. Am I missing something? Did I calculate something incorrectly?
Edit 1: Fixed the figures for sha512crypt.
Edit 2: for the NVidia A100 you mentioned in another branch of this thread, it would be about ten times faster per GPU, but it's still an impractically long time for the modern password hashes unless the adversary has millions of dollars to spend on cracking a high-value account's password.
Sincere efforts in breaking password hashes is something else than a single individual with one GPU at their disposal - it's not the angry neighbor capturing your Wi-Fi traffic or some "randoms" on the dark web who got their hands on a leaked database.
Realistically you will never need to exhaust the full key space (vocabulary), even if the commonly used set would be as high as 10 000. If you refuse to use a password manager and random character strings for passwords then at least don't settle for just four words, because you'll be going for common and memorable words, not something from the fringes of the dictionary. Unlike the case of a bunch of random characters, when picking a couple of words that you can remember easily there's a psychological factor involved which can be attacked, so make it count.
https://support.1password.com/pbkdf2/
Clocking in at a cracking cost of 79 million USD, for most intents and purposes, even a rather trivial 56-bit entropy password such as "align-caught-boycott-delete" (or "correct horse battery staple", for that matter) would be prohibitively expensive to break.