The words are chosen from a list of 5461 common British English words. 3811 of these are between 4 and 8 characters (the standard min and max values). The table below shows how long it would take to crack a password with 2, 3 and 4 words at 3 different rates, using a brute force attack which just goes through all the possibilities.
A rate of 1000 per second is referred to in the xkcd cartoon as a plausible attack on a weakly secured server; whether a given password could be cracked at this rate would depend partly on how careful the sysadmin was when they set up the server, for example by preventing too many bad logins on the same username in a given time.
|Number of words||Brute force cracking time at:|
|1000 per sec||1 per sec||1 per minute|
|2||4 hours 2 minutes||168 days||27 years|
|3||1 year 270 days||1755 years||100 thousand years|
|4||6,600 years||6,600 thousand years||400 million years|
|8 random letters|
|6 years 227 days||6,600 years||6,600 thousand years|
|6 random letters||3 days 14 hours||9 years 290 days||580 years|
Back to the intro page.