It has been argued that password systems are not a good way to authenticate. This is due to the fact that either they’re difficult to remember or they’re easy to remember, but therefore also easy to crack. So how do we choose a good password? XKCD posted this image suggesting a strategy for creating a password:
This method is trying to eradicate to age old way of creating passwords that are, in fact, almost impossible for us to remember but relatively easy for a computer to crack.
The password suggested by XKCD (although now not a good password because everyone knows about it!) is practically resistant to the brute force approach, because, although it is composed of only lowercase letters, it is too long. Therefore, the method used to break this password would be the dictionary attack method. However, these words would probably not come up in a dictionary together as they aren’t usually associated to one another.
But what happens when this method (stringing together four words) becomes common practice? A method to combat this might be to look at the top 10,000 english words and try different combinations of these words until the password is found. Therefore, it is safest to always assume that the password cracker knows the method that you are using and so we must choose at least one uncommon word that is hard to guess, such as mirth, to include in the password. This will make it extremely difficult to crack.