[Caerus]

From what I remember of the comic, the point was not the length of the password. The entropy was calculated based on 4 possible words.

Assuming ~2000 common English words, the number of possible passwords in that format is 2000^4 ~= 2^44. If the calculation is based on a completely random string of letters it is far stronger at 26^30 ~= 2^141 but it's safe to assume people aren't going to memorize a 30 character random password.

It's worth noting that the fairly common 8 character upper/lower case, numbers, and symbols they cracked in 6 hours is more secure than "correcthorsebatterystaple" at 72^8 ~= 2^49.

[hayksaakian]

Why would that be true?

Wouldn't you have to know in advance that the longer password was only lower case letters?

[Caerus]

I'm not sure which part you're asking about. I'm assuming it's that "correcthorsebatterystaple" is only lower case.

I was mainly commenting on the format suggested by the comic - 4 all-lower case words. You could throw in capitilzation, but most people are going to follow some pattern such as capitilizing all the words or the first and last, etc. These schemes only add a couple extra bits. Fully random capitilization would greatly increase the strength but make it nearly impossible to remember.

There are a lot of assumptions in these calculations, chief among them already knowing the format of the password. It's somewhat reasonable to ignore though, because not knowing the format of the password is going to add extra complexity more or less evenly across all formats.