# Ryan Harijanto

April 22, 2017

In 2011 the XKCD web comic series published a comic about password strength: I’ve been hearing reports from security team(s) that many people use “correct horse battery staple” as their password. Please DO NOT do this. Those 4 words are there as an example. Do NOT actually use it as your password. Use a random password generator such as password.do

Many people are still skeptical about whether or not this is true. So, let’s do some math!

We are told that secure passwords need to be 8+ characters long, have uppercase and lowercase letters, contains numbers, and include punctuations.

Something like:

`x3L0-p8!`

If we were to guess this password, let’s calculate how many possible combination an 8-digit password can have.

Let’s start with the characters. For each character in the password, there can (practically) be 94 possible characters:

`[email protected]#\$%^&*()_+`-={}|:"<>?[[]\;',./`

Now, since the password will have at least 8 characters.

`Total possible combinations = 94 ^ 8 = 94 x 94 x 94 x 94 x 94 x 94 x 94 x 94 = 6 x 10^15`

Something like:

`hello-universal-world-happiness`

If we were to guess this password, let’s calculate how many possible combination a 4-word password can have.

Let’s say for each of the words, the password generator picks one from a list of 10,000 words. That means for each of the words, there are 10,000 possibilities.

Since there are 4 words:

`Total possible combinations = 10,000 ^ 4 = 10,000 * 10,000 * 10,000 * 10,000 = 1 x 10^16`

### Conclusion 