diceware is a list of 7776 words. You pick 6 words. (That's 7776^6). If the attacker knows you're using Diceware, knows what word list you're using, and knows how many words you're using (ie worst case) you get 12.9 bits of entropy per word. If the attacker doesn't know how many words you're using, or they don't don't what wordlist you're using you get more than 12.9 bits of entropy per word.
You've made a mistake here:
> 'correcthorsebatterystaple' can be broken into 25 characters 'slots' or 4 word 'slots': [correct,horse,battery,staple]
> what was 26^25, is now (possible words)^4
1) No-one suggests using 4 words. Randall uses 4 words because it fit in the cartoon. Diceware suggests using 6 words for minimum.
2) No-one at all suggests using just the 1,000 "most common words". Diceware is a list of 7776 words. Except there's more than one diceware list.
i should think you could grok from my comment that i'm on board for your two points
why explain away the comic as just being an example but then confront the comment as being unaware?
why did i use 4 word 'slots' instead of diceware's suggested 6 minimum? because the comic did and that was referenced in the gp
why did i use 1000 words instead of diceware's 7776? because the number of words is arbitrary for an explanation, and, as i stated, i was playfully referencing, and intentionally promoting, more of randall's work
your comment fails to negate anything in my explanation, which was meant as a means of explaining how to think about these things
what the effectiveness of the ga cracking repo shows is that people are using even less possible words than dice's 7776 or randall's 1000
and the concluding statements that more variety with less patterns equates to better security stands
> The complete list contains 7776 short words, abbreviations and easy-to-remember character strings. The average length of each word is about 4.2 characters(o)
i'll be kind and round that 4.2 up to 5
> Diceware suggests using 6 words for minimum
so we are looking at 6 words of 5 characters.. 30 total characters
let's compare diceware to individual characters:
~220000000000000000000000+ = 7776**6 : diceware with 6 word minimum
~800000000000000000000000000000000000000000+ = 7776**10 : diceware with 10 words
~2800000000000000000000000000000000000000000000+ = 26**30 : english alphabet, 30 characters
>what this is showing you, is that anything that makes things easier for you also will make things easier for a cracker
because entropy is directly related to the number of possible values and number of values in the password, which is what i am comparing
i then went on to establish those values as being only those in the english alphabet, 26 characters, stead your referenced ascii set or even the diceware character set which allows some special characters
then i took the minimum suggested diceware length of 6 words, rounded the average word length of 4.2 up to 5, which gives us 6*5=30 characters
so one diceware password example:
affixafireafootagainagateagave
can be seen as diceware would have it, 6 words of length 5:
[affix, afire, afoot, again, agate, agave]
or 30 individual characters:
[a,f,f,i,x,a,f,i,r,e,a,f,o,o,t,a,g,a,i,n,a,g,a,t,e,a,g,a,v,e]
so utilising any underlying pattern, here only using the diceware wordset, weakens a passphrase of equal length
or if you want to abstract away from the actual values that you use to determine a passphrase's strength you could say: diceware lowers the entropy of an individually random value passphrase of equal length
but that phrase unecesarily contains verbage that can confuse whereas my previous comment showed all of the number possible permutations in such a way as to easily see that one is greater than the other making the guess space larger
You've made a mistake here:
> 'correcthorsebatterystaple' can be broken into 25 characters 'slots' or 4 word 'slots': [correct,horse,battery,staple]
> what was 26^25, is now (possible words)^4
1) No-one suggests using 4 words. Randall uses 4 words because it fit in the cartoon. Diceware suggests using 6 words for minimum.
2) No-one at all suggests using just the 1,000 "most common words". Diceware is a list of 7776 words. Except there's more than one diceware list.