XKCD "Correct Horse Battery Staple" — The Comic That Changed Passwords Forever

In August 2011, Randall Munroe published XKCD #936, and password security changed forever. The comic made a simple, mathematical case: a memorable 4-word passphrase like "correct horse battery staple" is BOTH more secure AND easier to remember than "Tr0ub4dor&3" — the kind of "complex" password that millions of websites still demand. Fifteen years later, that comic is still the best 1-minute introduction to password security.

The comic's argument in 30 seconds

XKCD #936 compares two passwords:

Password	Bits of entropy	Years to crack at 1000 guesses/sec
Tr0ub4dor&3	~28 bits	3 days
correct horse battery staple	~44 bits	550 years

The "complex" password loses to the simple passphrase in BOTH security and memorability. The reason: complex passwords use limited substitution patterns (a→@, o→0, e→3) that crackers know about. A genuinely random 4-word passphrase has more entropy because there are millions of possible combinations.

Why "complex" passwords are weaker than they look

The classic complex password formula:

1. Pick a base word ("Troubadour")
2. Substitute some letters (Tr0ub4dor)
3. Add a symbol (Tr0ub4dor&)
4. Add a number (Tr0ub4dor&3)

This feels secure but isn't, because crackers know the formula. They run dictionaries through every common substitution pattern in seconds. The base word "Troubadour" is in the dictionary, so the cracker tries it with every plausible substitution. Total search space: ~10,000 variations of "Troubadour." Cracked instantly.

A genuinely random 4-word passphrase doesn't have this weakness because there's no base word — every word is independently random. The search space is roughly (word list size)^4. For a 2048-word list, that's 17.5 trillion combinations. For a 7776-word Diceware list, that's 3.6 quadrillion combinations.

The comic's specific math

Randall Munroe's calculation in panel 2:

• "Tr0ub4dor&3": 28 bits ≈ 268 million possible passwords. Cracked at 1000 guesses/sec in ~3 days.
• "correct horse battery staple": 44 bits ≈ 17.6 trillion possible passwords. Cracked at 1000 guesses/sec in ~550 years.

The 16-bit difference looks small but represents a 65,000x increase in search space.

What changed since 2011

Two things have changed since the comic:

1. Cracking is much faster. Modern GPUs can guess billions of passwords per second, not 1000. The 550-year estimate from the comic is now closer to 10 hours for a 4-word passphrase. This is why we now recommend 5-6 words instead of 4.
2. "correct horse battery staple" is famous. Every password cracker now has that exact phrase in its dictionary. Don't use the literal example — generate your own.

2026 recommendations (post-XKCD)

Account type	Recommended length	Bits of entropy
Throwaway account	4 words	~44 bits
Personal account	5 words	~55 bits
Important account	6 words	~66 bits
High-value account	7 words	~77 bits
Crypto/master key	8+ words	~88+ bits

For comparison, NIST recommends 64+ bits for passwords protecting sensitive information. A 6-word passphrase comfortably exceeds this.

Generating your own XKCD-style passphrase

The free Bison Passphrase Generator follows the XKCD approach exactly:

1. Picks N random words from a curated word list using the Web Crypto API
2. Joins them with your choice of separator
3. Optionally capitalizes, adds a number, or adds a symbol if a site requires them
4. Shows the entropy in bits and a strength label

Open it, click Generate New a few times until you get one you like, and save it in your password manager.

Why XKCD-style passphrases changed the industry

Before 2011, every "secure password" guide pushed character substitution. After 2011, the conversation shifted toward length over complexity. By 2017, NIST officially updated SP 800-63B to recommend long passphrases instead of forced character classes. By 2026, every major password manager has a built-in passphrase generator. All of this can be traced back to a comic that made the math obvious in three panels.

The comic's other insights

Beyond the entropy calculation, XKCD #936 made two more valuable points:

1. "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." This is still the dominant mode of password creation. Most people are still doing it wrong because the complexity rules push them toward weak patterns.
2. You can remember a passphrase by visualizing it. The comic shows a horse, battery, and staple as a memorable mental image. Random nouns are easier to picture than random characters, which is why passphrases stick in memory.