A wordy password is a password made entirely, or almost entirely, of plain words. You might be thinking...
It certainly seems so, but I assure you it isn't.
The two defining factors of a good password, are that is it1. Hard to guess
Our intuitive mode of thinking gives us the feeling that a hard to guess password must be difficult to cognitively process, due to factors such as visual obfuscation though lack of meaning, and length. An example of such a password would be $#%g4HGDr7/4^fa.
That password is long, extremely difficult to remember, and highly visually confusing.
However, there are ways to think about passwords which lend its self to generating memorable and extremely secure passwords. One such method is creating a password constructed entirely of short words.
Mentally, it is equally as easy to remember the word [apple] as it is to remember the character [$]. It is easier to remember the words [apple, trail] than [$, #], and as the length of the password increases, this disparity of complexity grows with it, leaving the sybmol and alphanumeric character laden passwords neigh on impossible to remember.
When you create a password for a service, your password may take up a great many characters on the computer, but remain conceptually simple in comparison to what could be considerd a more standard password. Below, we compare two six "item" passwords. Each slot representing one space in your "brain's memory".
| Slot 1 | | Slot 2 | | Slot 3 | | Slot 4 | | Slot 5| | Slot 6 |
Wordy [ time ] [ launch ] [ it ] [ cat ] [ fuse ] [ tool ]
Standard [ $ ] [ # ] [ % ] [ g ] [ 4 ] [ H ]
Were an attacker to attempt to brute force either of these passwords, they would have to guess an average of 50% of the possible combinations. Given we use words with a size of between two and six letters long, each "slot" in our memory could be one of tens upon tens of thousands of words. However, each "slot" in our more standard password can only be one of 85 characters (alphanumerics or symbols.)
To break our standard password, it would take an average of 377149515625 attempts.
Given a dictionary of roughly 30 thousand words, to break our word based password it would take an average of 364500000000000000000000000 attempts. That's 9 quadtrillion times stronger. Throw a few capital letters or numbers on the end, and the number increases dramatically to a point where I'm not going to even bother googling what the numbers are called. (Farther down, I do.)
Note: in reality it is far stronger than I'm letting on here. Those numbers presume your attacker already knows you're using a wordy password. I give the real figures in the next section for those who care.
The point being, these passwords are STRONG!. Really strong. They are made stronger still through the use of cryptographically secure generation, ensuring there are no subconcious choices or themes that can be exploited by a clever attacker.
In a way, yes. However, the natural increase of length more than offsets this, and the addition of a few digits at the end of a wordy password increases it further still.
In order to figure out how many attempts an attack takes on average, we get the total number of combinations and divide it by two. In passwords of equal length, a standard password is more secure. The trick of wordy passwords is that they allow for extreme length by their easy to remember nature. Let's look at how we came up with the figures above.
"$#%g4H". This is a six letter password where each position has 85 possibilities. Two characters has 852 possibilties, and so on. The calculation for a six character password is 856, resulting in 377'149'515'625. (377 billion-ish.) In a wordy password of equal length, lowercase only, we would only have 276 resulting in 387'420'489. (387 million-ish.) The extra one is the space character.
This seems terrible, until we look at the passwords on the whole. "time launch it cat fuse tool"" has 28 characters to the standard password's six. That means our calculation is really 2728, which results in 11,972,515,182,562,020,328,584,384,600,808,992,184,376 which is several duodecillions and nearly one quattuordecillion. Never heard of those numbers? Me neither, until I wrote this. If you made several trillion attempts every second since the dawn of the universe you wouldn't even be close to half way through.
Using our generator, let's take "time launch it cat fuse tool" and tick the capital option, and add a three digit number to the end." Time Launch It Cat Fuse Tool 555". This kind of simulates an attacker who has no knowledge of our password other than to presume it could be anything, and is 32 characters long.
80,158,658,383,964,672,904,032,808,584,064,512,976,984,752,216,392,200,664,704,344 combinations for an average of 40,079,329,191,982,336,952,016,904,792,032,256,488,992,376,608,696,600,832,352,672 attempts, or 40 novemdecillion tries. Not going to happen.
Enjoy your new stupidly secure password.