I’ve always enjoyed this particular XKCD comic, because of its simplicity. I’ve never heard it debated in a practical setting. The strategy it describes seems very strong, and I’d like to know if I’m missing something.
This comic is assuming a standard stupid brute-force algorithm. That would mean for this example password, each letter has a 1 in 26 chance of being correct. In terms of entropy, we can describe this as log2(26). Because we are talking about a password that is 25 characters long, we should be able to represent this as log2(26)*25, which would mean a total of 117.5 bits of entropy.
If we assume an english word to be a ‘character’, and we assume there are 171,476 words in the english language, then we can calculate entropy based on an entire english word (no capital letters, no spaces, nothing but letters). Every random word would then have an entropy value of log2(171476) or ~17.39 bits per random word. With 4 words, that would mean 17.39 *4, or ~69.55 bits of entropy, which would still take way too long to guess.
So I still have no idea how the comic’s author came to the conclusion of 44 bits of entropy, so I’m obviously missing something, but does anyone have anything voiding this as a possible strategy for password generation? I would be very interested to hear it.