I've always disagreed with this XKCD. Given a passphrase dictionary attack, the passphrase would be discovered in less than a minute.
And technically, if you didn't know the format of the password, and you were just trying to get a random 11 character password, that would take a long time to crack. There are (roughly) 94 character that you could safely use for your password pretty much universally on any website...
94^11 = 5.06x10^21 which means if your computer can generate 2 million hashes a second it would take:
80 million years to crack a truly random 11 character password.
Passphrases are stupidly insecure unless you throw enough randomness in it.
ex(quotes included): "My Phone Number is `(123)546-8794!!!`"
Given a passphrase dictionary attack, the passphrase would be discovered in less than a minute.
Wait, what?
2,048^4 == 2^44 == 17,592,186,044,416
At 2 million hashes/second it would still take 101 [edit: actually, on average, 50] days to find this password, if it was unsalted. Perhaps if you had spent a few years of supercomputer time to generate some massive rainbow tables, you might be able to discover it quickly, but absent the need for your linkedIn password to be resistant to attacks from a nation state, you'd be pretty safe with such a password for a while.
It's entirely unclear how you came to the conclusion that it could be discovered in "under a minute" with a passphrase dictionary attack.
Diverging from your main point a bit: 2MH/s is unrealistically low. For a couple thousand dollars you can build FPGA HW that can do several billion SHA1 hashes/s. The bitcoin mining world is getting 400-450 SHA256 MH/s from a $130 chip. With similar technology, you can brute force a 2^44 SHA1 space in a lot less than 50 days.
I see xkcd's passphrase is correcthorsebatterystaple and think that it is the wrong way to do it.
The memorization of that password would work much better than a simple passphrase like that.
I.E. the actual password would be:
"That's a battery staple. Correct!"
And I don't believe that people will easily be able to crack that even with the minimal randomness that has been put in with current techniques. Sure if natural language cracking becomes popular you may have to become a little more creative like using a made up word or name or a number but even your example if no one knows what your password is:
"My Phone number is (123) 546-8794."
should be sufficient for a very hard to crack password. And again is many times better than a simple dictionary passphrase with a few words combined.
