| This is a simple explanation of why passphrasing is better. Please bear with my laymen's mathematics because this isn't my forte: Let's us XKCD as an example. Your passphrase is correcthorsebatterystaple but since you hate typing out things you abbreviate it to chbs. In most English passwords, you are limited to the characters visible to you on your keyboard; 52 letters (caps and lowercase), 10 numbers, 32 symbols. That means each piece of your password has 94 possible options. That means there are over 78 million possible combinations to be tried to correctly guess chbs. When you realize that computers can hash through several billion attempts PER SECOND, your password starts to look like a terrible idea. By typing out correcthorsebatterystaple, you go from 94^4 to 94^25. This is what XKCD points out and it's obvious that this is a big gain. But it gets better than this... Let's assume that crackers start to use rainbow tables full of common words used to build phrases like this. Instead of treating passwords by the number of characters, they start hammering on the number of words that are possible. Instead of increasing the exponent of the perceived slot, you've gone from 94 possible options to however many words there are in the English language. So instead of 94^4, you're dealing with numbers like 250000^4. This is why security people think passphrasing is better than passwords and why sites like Microsoft that limit you to only 20 character passwords are assholes. It's not the perfect solution, but it will help. TL;DR: Passphrasing increases the security in your credentials in more ways than you are probably thinking. Do it. DO IT NOW. |
Example 1: "chbs". 94^4 is way too optimistic. Your upper bound is 26^4, though if you get a smart attacker, he will figure out that 'c', 'h', 'b' and 's' are all more likely than 'x' or 'q' (though less likely than 'e' or 't'), and prune the search tree accordingly. Honestly, it does not really matter because with just 4 chars long, he can afford to just brute-force it anyways.
Example 2: "correcthorsebatterystaple". While much, much better than "chbs", 94^25 is completely off-base. That would imply that you are using all printable ASCI characters in your passphrase. The other figure you mention, 250000^4 is closer to the mark, though it implies you are picking your samples from a 25,000 word dictionary.
XKCD does not make that assumption, it explicitly uses a small dictionary (2048 words) to let it clear that you do not depend on picking "epic words" for the scheme to stand. You can use simple, every day (e.g. easy to remember) words and still come ahead of the other approach.