Comment Re:Every time XKCD 936 is Mentioned (Score 1) 549
What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user)
The theory he rejects is the hidden assumption that people will actually pick random words. You've also missed that hidden assumption, and focused on the math. I tend to agree with the security researcher above that the assumption is wrong, and people won't pick random words for passwords.
Most people have a bank account and an ATM card. The ATM card has only a 4 digit pin on it. That's only 10,000 possibilities, or about 13 bits of entropy. Since most people choose dates (birthdays, anniversaries), there's really only about 400 possibilities for the average person. But yet you don't hear about mass amount of fraud when people are robbed from ATMs. Why? Because to withdraw the money, you need two things in your posession. The card, and the pin. If you get the card, you also get a small number of tries on the card before it's locked. Even at 1/400 per try it's unlikely you'll be robbed with 3 guesses.
The larger problem is that "security people" tend to think entirely different than most everyone else, and just assume people act like them. They don't, and no amount of education or pleading will change that. So if you want real security on the web, it's time to ditch passwords as the sole means of authenticating people. You can't change human nature, and that's the root of the problem.