That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.