There’s a stick-figure comic from 2011 that I’ve quoted in more security conversations than any standard, framework or vendor whitepaper from my thirty years in ICT. It’s xkcd number 936, and it makes one claim in four panels: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
There's a stick-figure comic from 2011 that I've quoted in more security conversations than any standard, framework or vendor whitepaper from my thirty years in ICT. It's xkcd number 936, and if you've never seen it, it makes one claim in four panels: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
It was right in 2011. It's still right. The passphrase vs password argument was settled fifteen years ago, in four panels — and most of the password policies I encounter still haven't caught up with a webcomic.
The maths the comic got right
The comic compares two approaches. A password like Tr0ub4dor&3 — a word with the substitutions and tacked-on symbol that every policy since the early 2000s has demanded — carries roughly 28 bits of entropy. Four random common words — correct horse battery staple — carry roughly 44 bits. Each added bit doubles the guessing work. The "weaker-looking" passphrase is around sixty-five thousand times harder to brute-force, and it's the one a human can actually remember.
Here's the version of that comparison I use with business owners. Th@ts!s3cure looks like it was issued by a bank. Twelve characters, mixed case, numbers, symbols — it satisfies almost every complexity policy ever written. Kite-@irplane sky glasses looks like a child's fridge poetry. It's the second one that's enormously stronger, for one boring reason: it's twice as long, and length is the only variable that compounds.
Those substitutions in Th@ts!s3cure buy you almost nothing, because cracking software stopped being fooled by them decades ago. Every serious cracking rig runs rule engines that try @ for a, 3 for e, ! for i, and a symbol bolted on the end — automatically, in the first seconds of an attack. Your clever substitutions aren't clever to a machine. They were pre-computed before you thought of them.
What do the actual numbers look like on modern hardware? In 2025, Hive Systems' password table — modelling a dozen top-end consumer GPUs against properly hashed passwords — put an 8-character all-numbers password at about 15 minutes to crack, and an 8-character fully complex one at 164 years (Hive Systems, 2025 Password Table).
Sounds reassuring, until you see what length does: at 13 fully complex characters the same attack takes 56 billion years. Complexity moved the number from minutes to years. Length moved it from years to never. And that's against a site doing its hashing properly — a generous assumption you can't verify from the outside.
The standards now back passphrases over complex passwords
This isn't fringe thinking anymore; it's the official position of the people who invented the old rules. In July 2025, NIST published the final Revision 4 of its Digital Identity Guidelines, and the language is blunt: verifiers "SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types)" and "SHALL NOT require subscribers to change passwords periodically" (NIST, SP 800-63B-4, 2025).
The same document sets a 15-character minimum where a password stands alone. Mandatory symbols and 90-day rotations came from this very agency — and it has now formally deleted both.
Australia's guidance says the same thing in plainer words. The Australian Signals Directorate recommends passphrases of at least four random words and 15 characters or more — their example is "crystal onion clay pretzel" (ASD, Creating Strong Passphrases, 2026). Random words, mind you — not your kids' names in order of birth.
So why does the form on your screen still demand a symbol, a number and an uppercase letter, then force a reset every quarter? Because policy fossilises. Complexity rules date from a 2003 NIST document, written in good faith with the evidence of the day, and they spent two decades being copied into compliance checklists, audit templates and password-field validators by people who never went back to check whether the source had moved. The source has moved. The checklists haven't.
I've watched the rotation rule fail at industrial scale. On big projects — government agencies, data centres, sites with thousands of staff — 90-day forced resets produced exactly one behaviour: Winter2019! became Spring2020!, on schedule, forever. Everyone in the room knew. The auditors ticked the box anyway. We trained an entire workforce to increment a counter and called it security.
How passwords actually die in 2026
Here's the part the complexity debate misses entirely: most passwords aren't cracked at all. They're collected.
As of June 2026, Have I Been Pwned indexes more than 17.6 billion breached accounts (Have I Been Pwned, 2026). Attackers don't need to guess your password if you've reused it on a site that's already been breached — they just try the known one everywhere, by the million, automatically. Verizon's 2026 Data Breach Investigations Report found credential abuse somewhere in the chain of 39% of breaches (Verizon, 2026). Reuse, phishing and infostealer malware do the harvesting; no GPU required.
Read that against the complexity rules and the absurdity lands. Th@ts!s3cure used on twelve sites is twelve times a sitting duck, however many symbols it contains. A mediocre password used exactly once is a contained failure. Uniqueness beats complexity, and it isn't close.
So the honest ranking of what matters, in order: that the password is unique to the site; that it's long; that there's a second factor behind it — and only then, a long way back, what characters it contains.
What I actually do about it
Nobody can remember sixty unique passphrases, and the good news is nobody has to. That's what a password manager is for. Mine remembers a few hundred credentials; each one is long, random and used in exactly one place, because a machine generates them and a machine recalls them.
Human memorability only matters for the secrets a human must hold — and with a manager, that list shrinks to about three: the manager itself, your computer login, and your primary email. Make those three genuine four-or-five-word passphrases, in the Kite-@irplane sky glasses mould, and you're done memorising for life.
Which manager? I genuinely don't mind. Competent ones — paid, free, built into your browser — all clear the bar that matters, which is the bar marked "any manager at all versus the same password everywhere".
Same with the passphrase-versus-password argument generally: I'd rather you pick any long, unique approach today than research the perfect one for another month. The basics, done now, beat the optimum, scheduled for later — a rule that applies to everything else in small-business security too.
And before anyone writes in: yes, a password manager is a single point of failure. So is the alternative — your memory, plus the post-it, plus the same recycled password propping up forty accounts. Single points of failure are a fact of life; the question is whether yours was engineered by a security team or improvised at a keyboard in 2014. I know which of those failure modes turns up in breach corpora 17.6 billion times.
I keep coming back to the fact that a webcomic settled the passphrase vs password question a decade and a half before most password policies did. The evidence was always there. The standards have caught up; ASD and NIST now agree with the stick figures. The only thing still enforcing Th@ts!s3cure is habit — yours, your software's, and your IT provider's.
Fifteen years is a long time for an industry to argue with four panels and lose. What's your renewal date on Winter2026!?
Sources
- xkcd, Password Strength (comic 936, 2011)
- NIST, SP 800-63B-4 Digital Identity Guidelines: Authentication and Authenticator Management (July 2025) — retrieved 12 June 2026
- Australian Signals Directorate, Creating Strong Passphrases — retrieved 12 June 2026
- Hive Systems, 2025 Password Table — retrieved 12 June 2026
- Verizon, 2026 Data Breach Investigations Report — retrieved 12 June 2026
- Have I Been Pwned, breached-account index — retrieved 12 June 2026
