[sparkinson]

The thing is for your personal bank account a 15 character password is acceptable.

But for x many customer credit card details you're really looking for a much longer password that that. I'm talking 64 characters or more of pure random data.

You shouldn't be compromising for the convenience of being able to remember a password when it secures such critical data in my opinion.

Edit: I do agree though that your method is a very good way of remembering password.

[singlow]

At 15 characters and my character set ( [a-zA-Z0-9] and about 30 symbols) I have about 92 bits of entropy. Mean time to find a collision hash of my password is more than several years using 100% of computing power on the planet, much less do AES brute force. If memory is no issue - 256 bit passwords (usually displayed as 64 hex digits) are wonderful and there is no reason to stop short of that for pass keys that are stored electronically.

If I was responsible for this key I might increase from my normal 15 to 20 characters, giving me more than 120 bits of entropy, and I would expect to be safe from offline brute force for decades, and I could remember it.