I don’t know where the entropy is at these days so I’m not sure exactly how many words are recommended at this point, but the issue with passphrases is that you have to treat each word like it’s one character. Instead of a lot of symbols, now you need a lot of words for a strong passphrase. It also has to be random assortments of words that make no sense, so passages out of any documents are not a good idea. That XKCD strip is definitely outdated because 4 words wasn’t enough even 10 years ago.
That’s only true if someone guessing your pass phrase knows that it’s made up of words and not random characters.
The idea behind pass phrases is that these things are easy for your human brain to remember, but long enough to be hard to guess by typing random characters (or even combinations of words) by an attacker or a computer (or even a LLM)
I don’t know where the entropy is at these days so I’m not sure exactly how many words are recommended at this point, but the issue with passphrases is that you have to treat each word like it’s one character. Instead of a lot of symbols, now you need a lot of words for a strong passphrase. It also has to be random assortments of words that make no sense, so passages out of any documents are not a good idea. That XKCD strip is definitely outdated because 4 words wasn’t enough even 10 years ago.
That’s only true if someone guessing your pass phrase knows that it’s made up of words and not random characters.
The idea behind pass phrases is that these things are easy for your human brain to remember, but long enough to be hard to guess by typing random characters (or even combinations of words) by an attacker or a computer (or even a LLM)
Or a person just includes passphrase cracking tools on the database they’re working on.
What if you use made up words that will not appear in a dictionary