While using a single dictionary as a password is horribly insecure and can be guessed in seconds, guessing multiple - words gets exponentially harder. Using five words should be able to stop any attempts you can be expect, while eight - words can probably deter even the most determined attackers for the next ten years or so.
+The core idea is that while using a single dictionary as a password is horribly insecure and can be cracked in + seconds, each additional word makes cracking exponentially harder.
+ +There is a lot of criticism on the internet about this password scheme. However, most of them fail to get the
+ actual point. There are also claims that correcthorsebatterystaple is as secure as a 9 character
+ password, which sounds fairly bad. This is true if your 9 character password is truly random, such as
+ n98idhi3n, and not say, Tr0ub4d0r. The point is that,
+ correcthorsebatterystaple is more memorable than n98idhi3n, for approximately equal
+ security. To increase security, we can always add more words.
5 words from the large list, or 6 words + from the small list is sufficient for all reasonable threats.
+ +Let us consider the absolute worst case, assuming the attacker knows your password is generated by this site, + knowing that it has 65 bits of entropy, your password was insecurely hashed, and your enemy has GPUs to run + 500 billion attempts every second. Even then, this scheme will resist the + cracking attempt for over a year.
+ +Now, most attackers can't attack you that fast, and those who could have better things to do than spending a year + doing nothing but attacking you (unless you possess state secrets or something), so this is more than sufficient for + your password. In the highly unlikely case that your password need more security than this offers, or perhaps you + are just paranoid, adding an extra word would make the attack time thousandfold.