> "The danger ... is that they might be in the dictionary"
Randal's entropy calculation clearly assumes a dictionary of about 2048 words, where the attacker has perfect knowledge of the dictionary at her disposal.
Randal's entropy calculation is correct, and the point of the cartoon is that 44 bits of entropy is much stronger than the passwords most people create using common password advice.
Personally, I think 44 bits is way too little entropy for a password, but I would be happy if my grandmother started using 44-bit passwords.
I got the point of the cartoon and I never argued that Randalls figures were wrong. I just think it's bad advice to give none technical people to say common words are secure because there's a risk that they won't use a sufficiently long (read: number of words) password.
At the end of the day, the whole password model is broken, and Randall summed that part up succinctly.
Randal's entropy calculation clearly assumes a dictionary of about 2048 words, where the attacker has perfect knowledge of the dictionary at her disposal.
Randal's entropy calculation is correct, and the point of the cartoon is that 44 bits of entropy is much stronger than the passwords most people create using common password advice.
Personally, I think 44 bits is way too little entropy for a password, but I would be happy if my grandmother started using 44-bit passwords.