say that for each word there are about 2000 words that a person would commonly use
I think this is an extremely low estimate, but OK.
-
What about capitalization eg âI have a Black hatâ? That means the number of possibilities just doubled for each word.
-
What about punctuation eg âI have a Black hat!â or âI have a tall, black hatâ Thatâs a few possible characters that may or may not be present. With the comma alone weâve doubled the number of attempts for each word. And the end of the sentence has to be tried with a period, question mark, exclamation point at least.
Without even breaking a sweat, Iâve increased the REAL number of comparisons youâd have to attempt to (6000 ^ 5) * 3 or
23,328,000,000,000,000,000
I guess the hypothetical attack tool you are talking about would have a complete command of English (and perhaps other languages/words/grammatical errors that might slip in)? I donât know how it would know what capitalization and punctuation rules make sense to try, or even which words statistically follow other words. I am not sure this attack tool youâre describing A) even exists or B) is possible to create. Itâs certainly several orders of magnitude more difficult than a simple âcheck the next ASCII character in sequenceâ.
Furthermore, itâs trivial to add words. I could easily change this passphrase to âI have a tall, Black Stovepipe hat!â or enforce a âmust be at least n wordsâ rule.
(6000 ^ 7) * 3
839,808,000,000,000,000,000,000,000
This compares quite favorably to your 16 character password nobody can remember âxY6^ui*9uiyrtâ
40^16
42,949,672,960,000,000,000,000,000