Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics

The real issue with the xkcd password is the fact that because of the comic's popularity, it is now common knowledge, making it about as secure as "password".

As for the method used to create the password, your claim that it's vulnerable to "a clever dictionary attack" is misleading. To crack the password in a few days, like you suggested, the attacker would have to:

  • know the method used to generate the password
  • know the exact list of words used to generate the password
  • have access to the hashed password (instead of, for example, attacking a server)

Finally, the point of this method is to create a password that is hard to crack, but very easy to remember, and it achieves that.


Thanks for pointing this out, you have some great points! To be more transparent about my calculations:

  • I assume that the attacker has access to the hashed password for all attacks, as that is the most common form of attack.
  • My "clever dictionary attack" would be to brute force whole words as well as characters, which means that the xkcd password is only 4 "characters" long. I would start by using the most common words and slowly expand my dictionary, which means that my character pool would reach about 12k "characters" before cracking that password. This would also destroy passwords like "catlover99" and "strong_password", however, I admit it is still rather idealistic haha.
  • 2 very easy ways to avoid this are to change one of the words to a very niche one (e.g. Panthera) and to throw a random character in the middle of a word!

This video explains this pretty well!