> What is there to prevent “letmeinfacebook” from being the new most common four word password for Facebook accounts?
This comment suggests the author doesn't really understand the XKCD password scheme. The point is to choose four random words, not the first four words that pop into your head.
Also you cannot rely on an automatic-password-checker to tell the user their candidate password is weak: If it flags 'password1' as a weak password the user will just switch to 'password2' and that will become a common (ie. weak) password, at least until the password checker's database is updated.
I think the author did understand the comic, but his point is that we can't enforce the "use four random common words" rule on users since the users don't understand the XKCD password scheme. They'll pick "letmeinfacebook", which is no better than using "password".
This comment suggests the author doesn't really understand the XKCD password scheme. The point is to choose four random words, not the first four words that pop into your head.
Also you cannot rely on an automatic-password-checker to tell the user their candidate password is weak: If it flags 'password1' as a weak password the user will just switch to 'password2' and that will become a common (ie. weak) password, at least until the password checker's database is updated.