Creating downloadable prezi, be patient.
I don't really think so, but the point is this: even heroes are fallible. If you can't follow the discussion in the comments on this post, then don't follow any suggestion you happen to read in one blog post, even if it is by Bruce Schneier. Get a second opinion or better yet, learn enough math to follow arguments like these.
Do you really want to delete this prezi?
If you interpret it the second way, then the XKCD method does in fact give you a password with N times 11 bits of entropy (N = number of words).
1. There is an objective meaning of "memorable." In other words, the "best" set of four to me is just the best set of four regardless of who is picking it.
Thank you for debunking the xkcd passphrase approach.
Password crackers can try a lot more than 8 million guesses per second for most formats (e.g. MD5, SHA, NT Hash, LANMAN). I don't know where the 8M in that article came from, but the screenshot shows four GPUs collectively trying 656M+ guesses per second.
Or am I making a miscalculation here?
A good rig can make billions of guesses per second for the formats I mentioned. A couple of years ago, Jeremi Gosney built a cluster that could try over 300 billion guesses per second for the NTLM (MD4) hash.
For bibliography book citation the last 30 years, DuPont has been …
*you have a chance that they will recover the database and not the key, but you should not rely on it. See the Adobe leak as an example for both cases.
Learning in science depends on actively doing science
You're misunderstanding the xkcd password rules. The suggestion is pretty smart, really. The average "dicitionary" size from which a person draws to perform daily conversations is around 2048 words (using power-of-2 for simplifying the math). The comprehension vocuabulary is usually larger, but the xkcd estimate is really about the vocuabulary that you will choose from when producing output, not that when parsing input.
@wilson et al. Here is the spreadsheet. By all means, improve on it.
The basic idea being that you basically accept that you can't force users to choose strong passwords, but at least eliminate the really weak passwords, allow those people who would choose stronger passwords to do so, and increase the possibilities to slow down an attacker who tries to crack your entire database. Combining with a salted, slow hash function, possibly with a secret key* should also be considered essential.
Some final set, non single components.
Contains a Uppercase Character
Contains a Lowercase Character
Contains a Number
Contains a Non-Alphanumeric Character
A length of 14 Characters or Longer