If you pick from a dictionary of 250,000 words, that is around 18 bits. So three randomly chosen words strung together give you around 54 bits. On the other hand, an alphanumeric character is around 6 bits, so 9 of them strung together is about 54 bits.
Assuming your dictionary was 250,000 words, both of the passwords you posted were about the same quality (until you posted them - now they're again about the same quality, but much less).
> Or are there also dictionaries that contain combos of words?!
Your software just concatenates words and other well known sequences (123, zxcvbn).
Check out the great password entropy checker called zxcvbn:
3 words is not enough usually, but it technically depends on the dictionary size. Since the formula is dictsize^numwords, adding a word to your phrases is a lot better than adding a thousand words to your dictionary (also because of diminishing returns above ~5 thousand words).
Iirc 6 words is a good size for most dictionaries or 7 words for diceware, but might be off by one so please look around. I remember posting it on the security stackexchange site (I'm currently on mobile, not logged in or I'd look it up in my user) and I'm not the only one who's done this calculation. It also depends on what security level you need (e.g. should it prevent from offline brute force or only online brute force)
Because there are only so many words in the world and an English person isn't going to use a Dutch dictionary. At that point it's going to be harder to remember than just random characters of the same entropy.
Exactly. I don't have to speak any of the languages on wikipedia to use wikipedia as dictionary for cracking. You can have every quote from every book, every place name, every wikipedia article, every song lyric, and a cheap GPU can buzz through it all ... fast.
Kind of breathtaking that we have that power now, and kind of terrifying.
This is exactly what I did for a research project in school: download Wikipedia, extract all combinations of iirc 2-5 words, do a few transformations like adding a lowercase variant and space-less variant, and run that set against the LinkedIn sha1 password dump. Quite effective for cracking passphrases that weren't randomly chosen words but an existing phrase.
