>So you think the chance of human beings to come up with 4 random words is pretty low?
I've always wondered how effective the random words thing is. sure, there are like 100k english words in current use according to google, but it seems like a list of the most common few hundred of those words would crack a lot of passwords.
If you assume the password to be only based on the 200 most common words you already have 30.5 bits of entropy to brute force or 1.6 billion guesses and you're assuming your attacker knows you're using this password strategy. The Wikipedia entry on Basic English [1] suggests there are about 850 core words for daily life and I could immediately think of simple words like well-known animals you would see in the zoo that are not included. So how many of these "4 words that you could draw as a picture"-passwords actually fall into even the most common 850 words?
30 bits of entropy isn't particularly secure against locally cracking a password hashed with sha256 or a similar non password hash. However at 1000 guesses per second it would already take 28 days to brute-force and 1000 guesses per second is pretty fast against any password stored with a properly configured password hash like bcrypt.
I personally auto-generate readable passwords for most websites at ~70 entropy pure brute-force and ~50 entropy if my algorithm and set of inputs would be exposed.
You also need to be aware that in this case, the attacker is/would not targeting any specific device. For brute forcing, all it takes is a dictionary of most common passwords and a list of devices that are exposed. Attackers won't spend too much time on any single device as there are so many options out there.
I've always wondered how effective the random words thing is. sure, there are like 100k english words in current use according to google, but it seems like a list of the most common few hundred of those words would crack a lot of passwords.