hmm. you know I haven't done the math in a while but you might be partially right. It definitely does still help to use a dictionary for passphrases, but especially if you include all the words in the english language, not just a much smaller subset like diceware, and if you add anything to dress it up a little, it can still be pretty hard to crack... before password managers were a thing I was known to do like 3-5 random words plus 2-4 digits, and maybe a punctuation character if I was feeling spicy. A pre-calculated hash/rainbow table attack is not feasible if the password hashes are properly salted but a plain wordlist/dictionary attack still is
For the curious, I came up with something like 650-700 years on average to crack a 4 random word passphrase at 20 billion tries/sec (that rate was a real life example sourced from some pentesting firm's site) if your word list includes every last word in modern use in english (171000 words). If your wordlist is only 2048 common words (like diceware) though, that's like 10 minutes or less.
xkcdpass (based on the well known comic) by default uses the EFF's long wordlist, which is 7776 words I believe, so a 4 word passphrase from that would average about 24 hours to crack at that same speed. Not great but if you spice it up with digits, special chars, etc then maybe that's okay for the average person. But it's pretty long to type out especially on mobile.
hmm. you know I haven't done the math in a while but you might be partially right. It definitely does still help to use a dictionary for passphrases, but especially if you include all the words in the english language, not just a much smaller subset like diceware, and if you add anything to dress it up a little, it can still be pretty hard to crack... before password managers were a thing I was known to do like 3-5 random words plus 2-4 digits, and maybe a punctuation character if I was feeling spicy. A pre-calculated hash/rainbow table attack is not feasible if the password hashes are properly salted but a plain wordlist/dictionary attack still is
For the curious, I came up with something like 650-700 years on average to crack a 4 random word passphrase at 20 billion tries/sec (that rate was a real life example sourced from some pentesting firm's site) if your word list includes every last word in modern use in english (171000 words). If your wordlist is only 2048 common words (like diceware) though, that's like 10 minutes or less.
xkcdpass (based on the well known comic) by default uses the EFF's long wordlist, which is 7776 words I believe, so a 4 word passphrase from that would average about 24 hours to crack at that same speed. Not great but if you spice it up with digits, special chars, etc then maybe that's okay for the average person. But it's pretty long to type out especially on mobile.