Dictionary attacks usually contain a dictionary of common passwords. To use a dictionary for this, you’d have to use a word dictionary instead of a password one. And then you’re back to combinatorics.
4 words, where each word is in the dictionary: N^4. However the N here is way bigger than the amount of ASCII characters. Especially if each of the words may be of a different language. If N is larger than 16384, then it has more combinations than a random 8 ASCII character password. 16384 = sqrt(sqrt(128^8)). Quick Google search says English has more than 1 million words.
Therefore even if you know that the user generated their password using this method and used a dictionary attack tailored for this method, it would still be harder to break than a random 8character password.
The thing is to have a program randomly select the words for you. That way the words are not related between them, and you aren’t limited by only the words you know.
Dictionary attacks usually contain a dictionary of common passwords. To use a dictionary for this, you’d have to use a word dictionary instead of a password one. And then you’re back to combinatorics.
4 words, where each word is in the dictionary: N^4. However the N here is way bigger than the amount of ASCII characters. Especially if each of the words may be of a different language. If N is larger than 16384, then it has more combinations than a random 8 ASCII character password. 16384 = sqrt(sqrt(128^8)). Quick Google search says English has more than 1 million words.
Therefore even if you know that the user generated their password using this method and used a dictionary attack tailored for this method, it would still be harder to break than a random 8character password.
https://internationalenglishtest.com/blog/how-many-words-are-in-the-english-language/
I mean sure it might still work, but would make more sense to grasp for some trickier words, like fantasy character names etc.
The thing is to have a program randomly select the words for you. That way the words are not related between them, and you aren’t limited by only the words you know.
Random words, one misspelled, occasional symbols.
Correct-horse7battery,stapple
If your password can be brute forced then you’re just not trying.