On Tue, 2013-11-12 at 11:00 -0500, David Vorick wrote:
https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html
The xkcd comic doesn't really apply anymore. Dictionary attacks have gotten to the point where they can crack 'momof3g8kids' and 'Coneyisland9/,'
It still applies. It says in the small print that it assumes online attacks against a remote service, and for that threat model 44 bit passwords are probably good enough. If you want protection against offline attacks, which you probably want most of the time, you just need to pick more words.
and apparently have dictionaries breaking 100 million words. As password attacks get better and better at predicting human patterns (and hardware gets faster), you are going to need to completely generate your passwords at random in order to defend against dictionary attacks.
You should always do that anyway since it's the only way to know the minimum strength of your password in bits. The XKCD or Diceware method can be used to generate memorable passwords up to 80 - 120 bits or so, which should be good enough for a while still as long as login services don't stupidly limit the passphrase lengths. --ll