It’s not. A dictionary has on the order of ≈100,000 (10^5) words in it. Picking five words entirely at random gives you 10^25 combinations, which is about the complexity of 14 alphanumeric characters. So pretty secure.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.
If it’s a bunch of words found in any dictionary then with or without character substitution it’ll be easy to crack.
It’s not. A dictionary has on the order of ≈100,000 (10^5) words in it. Picking five words entirely at random gives you 10^25 combinations, which is about the complexity of 14 alphanumeric characters. So pretty secure.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.