Laura Creighton writes: > I think that it is better to take the first letter in every word > of a memorable phrase so that you do not forget them by mistake.
I was curious how many bits of entropy your phrase method would produce. So I took the first volume of Gibbon's _Decline and Fall of the Roman Empire_ and generated a file containing the first letter of every word, of which there are 268 776. gzip -9 was able to compress this file to 165993 bytes, which is 1 327 944 bits. I used the following Perl program to generate the initials: #!/usr/bin/perl -w use strict; while (<>) { print substr($&, 0, 1) while /\w+/g } If we stipulate, for the sake of argument, that gzip was able to remove all the redundancy in the input (or at least all of it that might be useful to an attacker), then we get about 4.94 bits per word, which is pretty darn good --- perfect random selection of lowercase letters would give us 4.7 bits per letter, and there's a fair amount of uppercase and some numbers in Gibbon. An 8-char password generated with 'mkpass' contains 52.6 bits of entropy. Using your phrase method, to get an equivalent password, you'd need 11 characters (the initials of an 11-word phrase), giving 54.3 bits of entropy. That's not bad. If you wanted to brute-force passwords generated by this method, gzip (seeded with 64K of Gibbon or something similar) might not be a bad place to start. Just feed the decompressor random noise (and turn off the CRC checking). I'm not certain how much entropy using a "memorable" phrase costs us, but probably not more than five or ten bits, and probably not in an exploitable fashion. Would you mind if I posted this message to kragen-discuss? [She said she didn't mind.]