[ef4]

This actually misses the worst problem. Brain wallets are essentially unsalted. You can build a gigantic rainbow table once and then watch those addresses forever after.

And you aren't attacking a single address at a time. You're attacking them all in parallel. Even if the expected time to crack one password is very long, the expected time to crack some password can be much, much smaller.

[mistercow]

>This actually misses the worst problem. Brain wallets are essentially unsalted. You can build a gigantic rainbow table once and then watch those addresses forever after.

The phrases generated by passphra.se have 44 bits of entropy. That means your rainbow table has to be on the order of hundreds of petabytes. I have doubts that the attack you're proposing could be implemented in practice. If it were a problem, you could just tack on a few more words and take the table into the yottabyte range.

[ef4]

Yes, but I'm highly confident that a significant fraction of users are not using passphra.se or similar.

They're making something up, and humans are extremely bad at generating high entropy that way.

[mistercow]

Yes, people should never come up with pass phrases out of their brains. A good entropy source is an absolute must. As I mentioned in another comment, even flipping through something like passphra.se until you find something especially memorable is shooting yourself in the foot because you're discarding an unknown amount of entropy.