[hibikir]

Have you seen what modern password hacking tools do? We don't see old school brute force anymore: Things users do are checked first. 3 words one after the other, one or two letters replaced, or sitting, right next to passwords. walking on a keyboard... those things are tested relatively early in the process.

So HorseBatteryStaple sucks as a password, along with anything else you can easily remember. If you want security, you probably want 2 factor authentication and a different password for every site, probably stored in something like a KeePass DB.

[mnw21cam]

Testing several words after each other is an old-school brute force method. How hard a password is to crack is basically a measure of the amount of entropy encoded, and there is more than you think in a collection of several words. The comic uses four words for a reason, not three. Sure, replace a few characters if you wish - it does increase the entropy slightly.

Also, know your target. If your target is to secure your account against a web-based brute force, as depicted in the comic, the attacker is likely to be rate-limited by the server, and a reasonable password is likely to be sufficient. If the attacker gets access to the hashed password database, then that's a different matter, but if you have sufficient entropy in your password it can still be secure.

But my main point is this - why do I need an account and password for uncle bob's glass cutting tool emporium, when I am only likely to make a single order in my lifetime? If I don't have an account, and therefore have no password, then there is nothing to hack.