Multi-cultural passwords: an evolution of “correct horse battery staple”

Albert Liang
Tech Sketches
Published in
3 min readApr 19, 2018

Ah, the stressful art of creating a password… something “secure” but “easy to remember”.

XKCD did a pretty good job presenting a good, user-friendly method. I more or less follow that pattern now, but with a slight twist. While correcthorsebatterystaple is a very long password, it’s technically only composed of 4 dictionary words. Dictionary attacks are slightly more cumbersome than straight-up brute forcing, but not as difficult as one would assume. There are 26 letters in the English alphabet, and there are probably only ~10,000 common words, so while the number of possible options has increased, you’ve also decreased the number of distinct objects from ~10 (for a 10-letter password) to 4.

Using a setup that can compute 350 billion guesses per second, the above two examples will be cracked in a maximum of 403 seconds and 7.9 hours, respectively. The password could be cracked much sooner if an earlier guess is correct.

Another way to test password strength is to use a helpful tool created by Dropbox called zxcvbn. (It’s the bottom 6 letters of a standard qwerty keyboard.)

Let’s check correcthorsebatterystaple using zxcvbn:

Only 8 hours to crack!

Technically, zxcvbn says it’s already strong, but what if, instead of using standard English words, you incorporate words from a different language? Changing correct to correcto (Spanish):

Now it takes 29 days!

The complexity instantly jumps up by orders of magnitude. At 10 billion guesses per second, it increases from 8 hours (for correcthorsebatterystaple) to 29 days (for correctohorsebatterystaple). If Spanish is your second language, this change is trivial for you to remember.

However, this trick only works because you’re using two or more languages. I would caution against converting your entire password into a different, non-English language. For example, if we try correcthorsebatterystaple in Chinese (對馬電池訂書針), the results looks quite promising, but…

Practically impossible to brute-force, but zxcvbn only assumes an English dictionary attack

… there are only about 10,000 common words in Chinese as well (same as English). This password is about as easy to crack at the original. By combining two languages, we force the dictionary attack to consider 20,000 possible words instead!

So, with just a small modification (incorporating a second, familiar language or culture) and a little bit of discipline (not changing your entire password to that second language), you can very easily amplify the strength of your passwords.

Go forth and be safe!



Albert Liang
Tech Sketches

Tech junkie, entrepreneur dreamer, practical engineer