From 75947b03a558df3c6096fde7d3bc77c29e6c875f Mon Sep 17 00:00:00 2001
From: Quantum <quantum2048@gmail.com>
Date: Mon, 26 Nov 2018 18:27:47 -0500
Subject: [PATCH] Update description.

---
 src/index.html | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/index.html b/src/index.html
index 20c743b..cbf0ce9 100644
--- a/src/index.html
+++ b/src/index.html
@@ -113,9 +113,28 @@
       </figcaption>
     </figure>
   </a>
-  <p>While using a single dictionary as a password is horribly insecure and can be guessed in seconds, guessing multiple
-    words gets exponentially harder. Using five words should be able to stop any attempts you can be expect, while eight
-    words can probably deter even the most determined attackers for the next ten years or so.</p>
+  <p>The core idea is that while using a single dictionary as a password is horribly insecure and can be cracked in
+    seconds, each additional word makes cracking exponentially harder.</p>
+
+  <p>There is a lot of criticism on the internet about this password scheme. However, most of them fail to get the
+    actual point. There are also claims that <code>correcthorsebatterystaple</code> is as secure as a 9 character
+    password, which sounds fairly bad. This is true if your 9 character password is truly random, such as
+    <code>n98idhi3n</code>, and not say, <code>Tr0ub4d0r</code>. The point is that,
+    <code>correcthorsebatterystaple</code> is more memorable than <code>n98idhi3n</code>, for approximately equal
+    security. To increase security, we can always add more words.</p>
+
+  <p class="lead"><span class="mark">5 words</span> from the large list, or <span class="mark">6 words</span>
+    from the small list is sufficient for all reasonable threats.</p>
+
+  <p>Let us consider the absolute worst case, assuming the attacker knows your password is generated by this site,
+    knowing that it has 65 bits of entropy, your password was insecurely hashed, and your enemy has GPUs to run
+    <span class="mark">500 billion attempts every second</span>. Even then, this scheme will resist the
+    cracking attempt for over a year.</p>
+
+  <p>Now, most attackers can't attack you that fast, and those who could have better things to do than spending a year
+    doing nothing but attacking you (unless you possess state secrets or something), so this is more than sufficient for
+    your password. In the highly unlikely case that your password need more security than this offers, or perhaps you
+    are just paranoid, adding an extra word would make the attack time thousandfold.</p>
 </div>
 
 </body>