In 2011 the XKCD web comic series published a comic about password strength:

I’ve been hearing reports from security team(s) that many people use “correct horse battery staple” as their password. Please DO NOT do this. Those 4 words are there as an example. Do NOT actually use it as your password. Use a random password generator such as password.do

Many people are still skeptical about whether or not this is true. So, let’s do some math!

We are told that secure passwords need to be 8+ characters long, have uppercase and lowercase letters, contains numbers, and include punctuations.

8-character passwords

Something like:

x3L0-p8!

If we were to guess this password, let’s calculate how many possible combination an 8-digit password can have.

Let’s start with the characters. For each character in the password, there can (practically) be 94 possible characters:

abcdefghijklmnopqrstuvwxyABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*()_+`-={}|:"<>?[[]\;',./

Now, since the password will have at least 8 characters.

Total possible combinations = 94 ^ 8 = 94 x 94 x 94 x 94 x 94 x 94 x 94 x 94 = 6 x 10^15

4-word passwords

Something like:

hello-universal-world-happiness

If we were to guess this password, let’s calculate how many possible combination a 4-word password can have.

Let’s say for each of the words, the password generator picks one from a list of 10,000 words. That means for each of the words, there are 10,000 possibilities.

Since there are 4 words:

Total possible combinations = 10,000 ^ 4 = 10,000 * 10,000 * 10,000 * 10,000 = 1 x 10^16

Conclusion

4-word passwords have more possible combinations than 8-character passwords.

This means it’ll take more time to guess/break 4-word passwords (longer = better/more secure).

PS: if you’re looking for a great, safe-to-use password generator that produce 4 random everyday words, visit password.do.