Xkcd how many words in the english language

The title text is missing. Am I right that Randall states that postmodernists are not clever? He's trying to give Cueball an easy way to remember to not behave this way in the future. It's funny because the lesson is a failure, it causes more long term harm than long term benefit.

Also it is unlikely that Cueball is paying attention to the lesson anyway, being distracted by the pain and loss. Or possibly it's funny because Black Hat is just causing his usual mayhem, and pretends to be a teacher to hide his intention, and does an unconvincing job.

Shingleslant talk. That is all I have to add. Explain xkcd: It's 'cause you're dumb. Jump to: navigation , search. Explanation [ edit ] This is a reference to a famous joke see the first of the meta versions under the wiki link , mistold in the above comic.

The original, correct telling of the joke is: Think of words ending in "-gry". There are only three words in the English language. What is the third word? Hint: The word is something that everyone uses every day. If you have listened carefully, I have already told you what it is. Transcript [ edit ] [Black Hat and Cueball are standing next to each other. What's the third? Black Hat: I don't think there is one, unless you count really obscure words.

Cueball: Ha! It's "language"! I said there are three words in "the English--" Hey! Discussion Ok, everything on this page, I already got. But as a brief overview: The reason it's easy to miss is that the words are written as a dialog would happen. If it had been properly punctuated it would have read "There are three words in 'the English language' that end with gry: 'Angry' and 'Hungry' are two.

Below is the complete index of the book called Things in this book by page. First is the simple title listed. Then follows the translation of this to normal language in brackets, with a wiki link to the most relevant page, based on the books material rather than the actual title. After "…" follows the page number for the start of that title as listed in the book:. There are 45 entries, but with the introduction, the list of used words and the acknowledgments taking up three, the total ends up at 48 explanations.

Cueball can be seen on the cover overlooking some of the labeled pictures. It was thus already early clear that the book would explore the themes labeled on the front cover which includes astronomy, constellations, and geology.

There are several funny "explanations" on the cover, like labels on arrows pointing to the title and to Randall's name explaining that this is:. The back cover of the book was also available:. Part of the fun of reading the book is finding out what 'complex' word the simple word phrases are encoding.

For a partial list, see Thing Explainer Decoder. Ooooh, I know I get this one for x-mas, but there is soooo long until then Nice to have something you really want for x-mas again. Only 20 more days to go. Can't wait. I put in the promotional picture.

If someone could make it appear smaller I would appreciate this. I'm not sure how to do this without changing the file's resolution. Which I do not wish to do. It should be possible to see this version of the picture by opening the file. If the ten hundred word vocabulary is still too complex and you want to explain things in even simpler terms, you might take a look at the learnthesewordsfirst. It explains the most common English words using a set of only words the "semantic atoms and molecules" from the lessons.

A natural choice is to add the same symbol between all words. If the app has a show password option, the phrase can be red easily. In theory that adds 5 bits of strength, downgraded to 4 bits, see The "troubador" method of explanation of the mathematics in this comic. The exact downgrading also depends on how easy it is for an attacker to guess the symbol, or first try specific separator symbols.

That's why I use 3 distinct sets of symbols to calculate this type of strengthening. I use the following for the calculation Excel notation, only if a separator symbol is being used :. The Diceware Passphrase Home Page mentions a special modification that is not in the comic pass phrase part: insert just 1 random letter in just 1 of the words of the phrase chosen.

That would add another 10 bits of entropy. I've wondered about this one as well, and I would like to analyze it not from a philosophical point if users write down their passwords, it becomes something you have instead of something you know I recently downloaded a GPU password cracking software to play around with.

I'd like to crack both of these passwords using that since it's my new toy and determine which is better. For a hypothesis, I would like to also throw out a possible variation--the attacker may know you only use dictionary words and don't enforce symbols and numbers decreasing the key space. Against 2 control groups where the random passwords contain a 2 numbers, a 2 special characters and is 16 characters long. Seems that most agree that regarding maths, Horse method is superior--to what extent seems to be mostly about limitations like how uniform the choices are, or what are these "easy to remember" or "easy to type" phrases.

Fair enough, but I'll teach you a magic trick on how to make these limitations a "bit" less relevant:. That's for following the Horse method blindly. The magic trick is that you don't stop here.

Unless you are a desperately boring and un-creative person, you can get a great advantage from the next steps. I mean, not just think, have your brain fart out completely new words for you, or completely new methods to distort the existing ones.

Also, this rule also applies to everything I write from now on: just go ahead and change the methods arbitrarily ;. Special case of this can be making use of different keyboard layout used in your country. For example, in Czech layout, letters with diacritics share keys with numbersthe row above the alphabetic part. This, in fact, creates a mapping of letters and numbers that can supplement or replace the "traditional" L33T.

Think about how you can benefit from it. You can re-use the method for new passwords, it all depends on how complex method you will createmore complex, more re-usable but don't overdo it :.

Generating a password does not have to be boring. In fact, funnier you make it, the more likely you are to actually remember the password. But don't get me wrong: don't make it funny at the cost of uniqueness.

Try to use that kind of funny which is funny only to you ask your brain. Oh and don't make it too funny--you don't want to giggle and blush every time you type your passphrase ;. Totally wrong.

There's more than math at work here. Human beings creating passwords out of human language! If you start with that assumption, entropy is radically reduced as a factor in the time necessary to crack the password. As Don Corleone, the great philosopher, said: Think like the people who are around you. As some people already stated so I'm not going to repeat that , it depends on the mechanism of brute-force attacks and dictionary attacks being used.

First of all, the best way to keep an attacker from attacking is taking away the target in the first place. None of my servers have SSH running on port 22 and root login is most always deactivated in sshd configuration.

But that's just an example. Don't give away the user name and you can save yourself a lot of trouble. So, for the rest: Those who actually guess the username right and find your service, will try very common brute-force attacks. Short passwords are always a bad idea, because there's no dictionary needed. Cycling through all the alphanumberic combinations in both lower and uppercase and common 'salt' like commas, semicolons and so on would take a few days to crack.

Based on my own experience had an old OpenBSD routing machine setup, but the internet provider password changed and I didn't have physical access to the machine. The password turned out to be [Firstname][Lastname][Number] of some celebrity. I was curious, so I tried different cracking tools. A name-based one took only six hours to crack the same password. The trick with those brute-force attacks is to know what you're dealing with. A password that is based on something personal, that is encrypted with your own method is still safe from most dictionary attacks and can only be guessed by a simple brute-force attack, which would take years to cycle through all the possibilities.

According to rumkin, this is kinda safe : Not bad for a first try. I can actually remember that and most mechanisms will not attempt to 'guess' that kind of a password, because it doesn't make any sense to any of the systems. Either it's short and complex, like L5q3CR,-F - which is kind of hard to remember but easy to guess, or it consists of variations of actually existing words. It's a human weakness, to help yourself remember things or go for something really simple, or common.

If somebody manages to get around all that, you're dealing with pros anyways : but keep your password secure by doing something human, that nobody expects and no computer can guess or predict: do your own thing, just remember that your own thing has to be long enough to avoid the simple attacks and stay out of the dictionary for the most part.

Use something, that only makes sense in YOUR brain and scatter in a few special characters. For a cracker, a fast way to guess a password is only offered when you do something predictable, like use something short, that's easy to memorize or something that consists of common words, or combinations of letters that you find in dictionaries.

Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group.

Create a free Team What is Teams? Learn more. XKCD Short complex password, or long dictionary passphrase? Ask Question. Asked 10 years, 3 months ago. Active 1 year, 3 months ago. Viewed k times. Am I missing something or is this armchair analysis sound? Improve this question. A practical note: I have used Diceware to help me select random words before.

I found I could remember 5 words really easily. I did roll a couple of times to find a sequence that felt nice to say in my head though, without necessarily making sense. New most common passwords: onetwothreefour passwordpasswordpasswordpassword teenagemutantninjaturtles — Chris Burt-Brown. I think commentors here have brought up all of these points already but, for the record, here's some elaboration by the comic's author, Randall Munroe: ask.

Makes you wonder why some banks limit your password to 6 or 7 characters. Show 4 more comments. Active Oldest Votes. I think the most important part of this comic, even if it were to get the math wrong which it didn't , is visually emphasizing that there are two equally important aspects to selecting a strong password or actually, a password policy, in general : Difficulty to guess Difficulty to remember Or, in other words: The computer aspect The human aspect All too often, when discussing complex passwords, strong policies, expiration, etc and, to generalize - all security , we tend to focus overly much on the computer aspects, and skip over the human aspects.

Improve this answer. Robotnik 6 6 bronze badges. Your last quote deserves a thousand upvotes. For an in-depth analysis of the maths behind the xkcd, see Thomas's answer below. His answer shows why the xkcd got the math right, a perfect complement to why it doesn't actually matter. If my home gets robbed I would be much more concerned about the robbers having my banking password than about having lost my cash, jewelry etc; especially if I find out about the burglary only when I get home at the end of the day.

The only remotely potentially tenable justification for keeping passwords on desk post-its is that they are passwords to something not important so it's no big deal if someone steals them.

SantiBailors agreed, it is not a good practice. But I think it is better for someone who would have difficulties in remembering a good password than choosing something trivial, like the name of their dog. Another thing that makes the battery staple method better via AviD's observation on usability is the increasing number of mobile devices.

On a mobile keyboard, the 'leetspeak' method requires a lot of pecking and symbol table shifting to and fro, while the battery staple method can be typed in much more easily with less risk of error. Try timing yourself how quickly you can enter either sample password on an iPhone's screen keyboard. Show 10 more comments. Here is a thorough explanation of the mathematics in this comic: The little boxes in the comic represent entropy in a logarithmic scale, i. The "correct horse" method The password generation process for this method is: take a given public list of words supposedly common words, easy to remember.

The total entropy is then 44 bits, matching the 44 boxes in the comic. The "troubador" method For this one, the rules are more complex: Select a random word in a given big list of meaningful words. Decide randomly whether to capitalize the first letter, or not. For the letters which are eligible to "traditional substitutions", apply or not apply the substitution decide randomly for each letter. Append a punctuation sign and a digit.

Applicability The paragraphs above show that the maths in the comic are correct at least with the precision that can be expected in these conditions -- that's a webcomic , not a research article. It still requires the following conditions: The "password generation method" is known by the attacker. Original answer: The comic assumes that the selection of a random "common" word yields an entropy of about 11 bits -- which means that there are about common words.

For instance, the following activities: select four words randomly, then remember them in the order which makes most sense; if the four words look too hard to remember, scrap them and select four others; replace one of the words with the name of a footballer the attacker will never guess that!

Jens Bannmann 8 8 bronze badges. Thomas Pornin Thomas Pornin k 57 57 gold badges silver badges bronze badges. One crucial thing I believe this answer is missing is a mention of dictionary attacks. It may be obvious to anyone versed in this stuff that dictionary attacks are considered in the entropy calculation, but every single time I've heard someone criticise this xkcd strip, it's on the grounds that the author only considers brute force attacks and that a real attacker can use a more sophisticated dictionary attack.

The thinking there is wrong, but I think dictionary attacks need a mention just to nay-say the naysayers and clear up the confusion here. An error here : A string of 4 Randomly chosen words out of your dictionary Hence the total number of letters in the string have to be such that that they do not reduce the entropy as seen from a 'Word' POV.

I love how you and AviD linked to each other's answers. NH It happens. Show 11 more comments. Depends greatly on implementation! Entropy: Now, what is not clearly addressed: Will these passwords have to be entered manually? How easy are these passwords to remember? Jeff Atwood Jeff Atwood 4, 6 6 gold badges 25 25 silver badges 29 29 bronze badges.

Jeff, this answer is flawed. You rely upon rumpkin for password entropy estimation, but rumpkin's estimates are apparently bogus. Look at the xkcd comic again: it visually depicts the justification for its entropy estimate that's what the little boxes are doing.

I totally disagree with your conclusion, and I don't see where you get it from. Comments are not for extended discussion; this conversation has been moved to chat. Add a comment. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about" But I see more of a consensus that web site operators can't keep their hash databases secure over time against attackers, so we should engineer the passwords and hash algorithms to withstand stealing the hashes for offline attack.

Community Bot 1. Right, it depends on what the threat is. And for Thomas those are multidimensional cross product operations, and I am assuming a right handed coordinate system in Euclidean space. You don't need strong password for website. Elazar I've had access to all kinds of databases in my various jobs. In most of them, nobody would notice if I dumped a copy to a file and walked out with it, reversed those short, irrelevant passwords that users have handily re-used on other sites, then went from there.

Database compromise by an external actor isn't the only reason for hashing passwords properly, or for users choosing strong passwords. If you allow weak passwords or strong ones, people use passwords in patterns, like youtotallywouldnotguessthis01 then youtotallywouldnotguessthis Also, if additional services don't make the same restriction, they're then affected. Good hashing is therefore critical - plan is if the database is already compromised.

Although you're right that if you're actually experiencing frequent compromise you've probably got bigger issues. Show 7 more comments. Chris Cudmore Chris Cudmore 4 4 silver badges 5 5 bronze badges. I have trouble with the odd order of the words. Me: Correct! And much stronger.. Maybe we should just introduce graphical passwords, where you have to draw the horse and battery staple in the final frame image.

Absolutely, as I said in my answer too - password security is not just about entropy, it's about the human aspect, and how the user remembers it or doesn't. Entropy is absolutely important, but that's not the end of the story. Having a post-it with a very complex password sure beats having a bad password memorized. Usually you're protecting yourself from remote attacks, not someone sneaking around on your desk that is an issue for office security. Also, with post-its you can easily disguise the password or alter it slightly "every 1 is a 2", or the password is only half of what is written etc.

You're oversimplifying. Also, just realized how old this is, sorry, but I still think it applies — pzkpfw. Scroll up and check - YES! Show 3 more comments. To add to Avid's excellent answer , the other key messages of the comic are: the appropriate way to calculate the entropy of a password generation algorithm is to calculate the entropy of its inputs, not to calculate the apparent entropy of its outputs as rumkin.

Misha Misha 2, 2 2 gold badges 18 18 silver badges 17 17 bronze badges. Have you considered that from the Bible, there are potentially dozens of different translations? And that's just English. Suppose some American knew a number of verses in Klingon with appropriate accents, if appropriate. The flip side of this coin is also an interesting concept.

Password cracking libraries may become the repositories out of order of all knowledge, because college term papers, news broadcasts, and everything else will get included. That already exists. Search for Klingon at the link — jpaugh. Let's go through it: Random dictionary word.

Very reasonable Adding in capitalization. I'm going to group this with common substitutions. Of course a secure webservice does slow things down.

Not all webservices are secure though. DanBeale: If you don't trust the users to make a password in a suitably random way, how do you trust them to make a passphrase in a suitably random way? Billy ONeal: I read the insecure web service part, but think its irrelevant. Most services worth hacking into banks, major email accts, major seller amazon , etc.

DanBeale I think the point is that some users will always do the minimum required of them, and that services which force users to use a "strong" password with at least one number, one capital letter, one punctuation mark, etc are actually counterproductive though they look really good to management!

Benoit Esnard DanBeale DanBeale 2, 2 2 gold badges 18 18 silver badges 27 27 bronze badges. Not sure why you want a "formal" analysis of Diceware. The concept is simple and it works. There's no fancy math needed. Diceware is good, but users are poor. There's a comment on this page from someone who says that they roll more than once to get a memorable passphrase. So, if the phrases given to the users it's okay, but what happens if users are allowed to use diceware themselves?