I’m not arguing that random passwords are better for everyone, just that they’re most secure for their length. A 9 word passphrase is just as secure as a 16 character random password, but is far longer.
A 4 word xkcd passphrase is more or less equivalent to a 7 character random password, and is secure with xkcd’s threat model (online brute force attack) but not with other threat models, like a brute force of a weak hash, which is many orders of magnitude faster.
If you’d like to verify the math:
4 word xkcd passphrase: 2048 (possible words) ^ 4 (number of words) = 44 bits of entropy ≈ 17.6 trillion possibilities.
7 word password: 70 (possible characters) ^ 7 (number of characters) ≈ 42.9 bits of entropy ≈ 8.2 trillion possibilities.
(Adding an eighth character raises the number to 576 trillion).
I’m not arguing that random passwords are better for everyone, just that they’re most secure for their length. A 9 word passphrase is just as secure as a 16 character random password, but is far longer.
A 4 word xkcd passphrase is more or less equivalent to a 7 character random password, and is secure with xkcd’s threat model (online brute force attack) but not with other threat models, like a brute force of a weak hash, which is many orders of magnitude faster.
If you’d like to verify the math:
4 word xkcd passphrase: 2048 (possible words) ^ 4 (number of words) = 44 bits of entropy ≈ 17.6 trillion possibilities.
7 word password: 70 (possible characters) ^ 7 (number of characters) ≈ 42.9 bits of entropy ≈ 8.2 trillion possibilities.
(Adding an eighth character raises the number to 576 trillion).