i'm not sure i completely agree with that. for one thing, he calculates entropy wrong. according to wikipedia, the set of all ascci characters has an entropy of 6.5446 bits per character. given an 11 character password, thats ~72 bits. a 26 letter character set has an entropy of 4.7004 bits per character with 24 letters, that gives the password 112 bits. that doesn't make my case for why i disagree, just showing that he calculated entropy wrong. i actually don't even know how he came up with those numbers.

People understanding things in this way is exactly why everyone chooses bad passwords. His point is that if everyone has passwords like Tr0ub4dor&3, password guessers won't guess random printable ASCII characters, they'll guess a word and then try some substitutions on it.

So 'Troubador' can be guessed with a dictionary attack, which is why the word only gets about 16 bits of entropy (that puts it in the top 64000 most common words in English). There is additional entropy added by the substitutions but substituting '0' for 'o' is much easier to guess than changing the 'o' to a random character.

i'm not going to try to calculate the possible number of permutations of a 24 character english word password but its definitely significantly less than the 112 bits of entropy we calculated earlier. is it less than the 72 bits for the ascii character set? i don't know. but maybe someone smarter than me can go tell us that one.

And again, since an attacker would be using a dictionary attack, the correct way to calculate entropy is per word, not per character. The xkcd calculates 11 bits of entropy per common word which suggests these words are in the top 2^11=2048 most common words which seems reasonable (a quick glance at wikipedia suggests around 80% of the words in written texts are built from the most common 2000 words). So we get 44 bits of entropy. Obviously less than 72 bits but how many people are really going to create a completely random alpha-numeric-punctutation string of 11 characters (not built from a word or pattern)?