This never made sense to me, assuming that using common words is more secure than random characters. To a computer it doesn’t matter if you’re using random characters or a group of words, it’s all a matter of guessing from a pool of characters. So “energic bicycle stamp” is less safe than “3nerg1c bicycll3 st4mp!” because the latter uses a larger pool of characters than the former.

The figure of merit is security vs memorability.

You could imagine two different passwords machine generated with the same entropy under plausible selection schemes: some w$#J8fe keysplat or the selection of 5 words from a dictionary of common words. Both would be equally secure against a password guessing attacker, but the common word one would be easier for most people to remember.

If you held memorability constant, the character-splat password would be less secure.

You could imagine a hybrid, but the one you demonstrate is the kind that humans construct on their own where some characters are replaced with lookalike symbols-- these sorts of adhoc schemes are well modeled by replacement rulesets and markov-model password guessing algorithms and don't tend to add a ton of entropy. They do hurt memorability a fair bit and the better done (from a security perspective) the worse the hit on memorability.

The comic's author would probably argue just adding an extra word is better from a security and memorability perspective, or at least I argue that. :)

But more safe than "ebs" or "Q!5", or longer strings up to a point. The words are standing in for characters, and the pool of words is very large.

The dictionaries used by dictionary attacks usually have leetspeek words in them, so it doesn't matter much.

> So “energic bicycle stamp” is less safe than “3nerg1c bicycll3 st4mp!” because the latter uses a larger pool of characters than the former.

The whole point of xkcd/diceware style passphrases is to expand the pool. The traditional random password uses something like 96 symbol pool (printable ascii), while passphrases use a pool of thousands of symbols (length of wordlist). That is where their strength comes from.

log2(7776^5) ~= log2(96^10) ~= 64 bits

What I find baffling is that we're in 2025 and people still can't make a decent, simple, interoperable WYSIWYG text editor without that markdown cancer. This crap has to be shoved at everybody's face in almost every good app because some nerds want to read code no matter what. I really despise that crap.

Are you kidding? There are lots of WYSIWYGs of various kinds out there and some of them are decent. You can get them for Markdown, HTML, RTF, and many other formats. But the real common denominator between most apps is text. You could try HTML, but that is much more code-like than Markdown. It would be wildly unreasonable to make text into a binary-only thing that you can only paste into apps that support the particular encoding that you're using.

Some nerds read and write code for a living, and they invented Markdown too, so what are you proposing? This nerd wants to read and write equations too.

I for one am in favor of leaving the protocol alone and using Delta Chat: https://delta.chat/en/

You're a new user, and you've made two comments on this story, adding no context, but promoting the same service.

Is this a legit recommendation? Are you shilling? Are you associated? Help us out.

Leave the protocol alone and use Delta Chat: https://delta.chat/en/