(no title)

> E.g. postcriptaluminumengagement vs kug45l2wx

If you pick from a dictionary of 250,000 words, that is around 18 bits. So three randomly chosen words strung together give you around 54 bits. On the other hand, an alphanumeric character is around 6 bits, so 9 of them strung together is about 54 bits.

Assuming your dictionary was 250,000 words, both of the passwords you posted were about the same quality (until you posted them - now they're again about the same quality, but much less).

> Or are there also dictionaries that contain combos of words?!

Your software just concatenates words and other well known sequences (123, zxcvbn).

Check out the great password entropy checker called zxcvbn:

https://github.com/dropbox/zxcvbn

https://dropbox.tech/security/zxcvbn-realistic-password-stre...

https://www.bennish.net/password-strength-checker/

(Note: don't enter production passwords into random websites, needless to say...)

3 words is not enough usually, but it technically depends on the dictionary size. Since the formula is dictsize^numwords, adding a word to your phrases is a lot better than adding a thousand words to your dictionary (also because of diminishing returns above ~5 thousand words).

Iirc 6 words is a good size for most dictionaries or 7 words for diceware, but might be off by one so please look around. I remember posting it on the security stackexchange site (I'm currently on mobile, not logged in or I'd look it up in my user) and I'm not the only one who's done this calculation. It also depends on what security level you need (e.g. should it prevent from offline brute force or only online brute force)

Gone are the days of huge generic dictionaries, a small tailored dictionary with a proper ruleset will pick off 3 word phrases with ease.