I really enjoyed this comic, but Randall raised a couple of points I'd like to highlight/correct. Entropy isn't a very good measure of password strength for human generated passwords. This isn't a problem with his second example since the words are randomly picked, but in the first example which was picked by the user, it falls apart. That's because he's looking at the entropy and assuming that the underlying probabilities are evenly distributed since he then treats the strength of the password as equivalent of a random key of 'n' length bits. Aka some words like 'password', 'princess', 'monkey' are much more common than 'troubador', so passwords using those words are cracked much more quickly. If you look at a password cracking session against a large number of passwords, the number of guesses required to crack each additional password almost looks like it increases exponentially, (note, it actually doesn't match it exactly but it looks like an exponential curve if you squint...). If you treat the entropy measurement as equivalent to a random key you would expect to find a cracking session that would look like a straight line. Now try to model an exponential curve using a straight line and you'll see where the problems with using that metric are
I co-authored a paper that I presented at the ACM CCS 2010 conference on this very subject titled "Testing metrics for password creation policies by attacking large sets of revealed passwords", (the title says it all). You can download a copy from http://goo.gl/YxRk if you are interested in the details. I also wrote some blog posts on the subject at
I'd also like to point out that for a vast majority of people, password strength doesn't have much of an impact. Password strength is really only important in corporate networks where things like AD admin password hashes are cached on local machines, or the attacker is unable/unwilling to install a keystroke logger or pass the hash. What's much more important is password reuse. This can be seen in cases such as the Gawker hack where attackers immediately used cracked passwords against Twitter accounts, or the HBGary hack where the attacker compromised Aaron Barr's e-mail, bank account, I-Pad account, several internal servers, HBGary's corporate e-mail account, etc, since Aaron Barr used the same password everywhere. I'm not saying you have to use different passwords everywhere, (though keyvaults like lastpass or KeePass are certainly nice and allow you to do this), but you should really have at least four unique passwords. One for sites you don't care about, (like this forum), one for your social networking sites like facebook, one for your webmail account, and one for your financial sites. You might want to use a fifth unique password for online shopping sites as well. That way regardless of how the password is stored, or how weak the password is, it limits the damage caused when a site is compromised and your password is stolen.
Oh, and just for laughs, here is what is quite probably the largest collection of one line ASCII art porn on the internet, since some people choose those for their passwords:
I created it specifically to show how passwords like that could be targeted by an attacker. I'd really hate to think what Google thinks of me based on my searches researching that dictionary