Many are familiar with this xkcd comic:

xkcd

Not many understand why random dictionary words can be more secure than leet passwords.

Diceware is one way you can use to generate secure passphrase from random dictionary words. The diceware word list has 7,776 words, from the fact that you throw a die 5 times, ie, 65 = 7,776. A six-word passphrase therefore has 77766, or 2 x 1023 unique combinations.

On my standard Mac keyboard, there are 94 characters* I can use to form leet passwords. An eleven-character leet password has 9411, or 5 x 1021 unique combinations. As you can easily see, a six-word passphrase is 100 times ‘bigger’ than an eleven-character leet password.

People often use entropy to measure password strength. To say a password has 44 bits of entropy is to say the password is chosen from a search space with as many unique combinations as a 44-bit binary string of 0’s and 1’s. That is, there are 244 = 17,592,186,044,416 possibilities. Each additional bit of entropy doubles the search space. Now, we can see that an eleven-character leet has log2 5 x 1021 = 72 bits of entropy. In comparison, our six-word passphrase has log2 2 x 1023 = 77 bits of entropy.

One common doubt I hear is that the diceware word list is public and everyone suspects they should make their own private list. That argument is analogous to saying the letter E is on everyone’s keyboard and we need a private keyboard to type. The strength of diceware comes not from secrecy but the enormity of its search space.

* 26 uppercase, 26 lowercase, 1-0, shift 1-0, 11 symbols, shift 11 symbols.