Why a Random Sentence Beats P@ssw0rd Every Time

⏱ 6 min read · PasswordUtils

The XKCD comic from 2011 made the argument mathematically: "correct horse battery staple" (four random common words) has approximately 44 bits of entropy, while "Tr0ub4dor&3" (a password with complex substitutions and special characters) has approximately 28 bits of entropy. Despite appearing "stronger" — with capital letters, numbers, and symbols — the complex password is weaker. This counterintuitive result has important implications for how we think about password strength.

What Entropy Measures

Password entropy is a measure of unpredictability — specifically, how many guesses an attacker would need to make, on average, to crack the password by brute force. A password with higher entropy takes exponentially longer to crack. Entropy is calculated from the size of the search space: how many possible passwords exist with the same characteristics.

A password with 44 bits of entropy has a search space of 2^44 ≈ 17.6 trillion possibilities. A password with 28 bits has about 268 million. At modern GPU cracking speeds, the difference is significant.

The primary factor in password entropy is not complexity — it's unpredictability. A complex password built from predictable rules (substitute E with 3, append a number, capitalize the first letter) has vastly smaller effective entropy than its character set suggests, because cracking tools know the rules.

Why Passphrases Win

A passphrase built from four words chosen randomly from a list of 2,000 common words has an entropy of log2(2000^4) ≈ 44 bits. If the word list has 7,776 words (the Diceware list), entropy reaches log2(7776^4) ≈ 51 bits. These are memorably high barriers to brute force.

The key word is "randomly." Four words you choose intuitively — thinking of words that "go together" or feel random to you — have far lower entropy than four words chosen by a random word generator. The randomness must be genuine, not perceived.