[venomsnake]

Fist myth is that passwords provide security. The human brain is crappy rng so it cannot create proper high entropy passwords. No way getting around that - whatever your password is if it is "derived" from something - someone else is using it too.

The only viable security I can think of is if we have distributed public key infrastructure. Bitcoin style wallets. And securing the "PK wallets" is up to the end user. Persona is close I think - so if the app fad/insanity finally dies we will be on a good track.

[mistercow]

>The human brain is crappy rng so it cannot create proper high entropy passwords. No way getting around that...

Yes there is: you use a real RNG to generate your password. A good option is http://passphra.se. Just remember that you can't go clicking "Generate Another!" until you find something particularly memorable, or you'll be sacrificing an unknown amount of entropy by narrowing the space to memorable passwords. Better to keep the phrase somewhere safe (encrypted) until you have managed to drill it into your head. I like to fit the phrase into a sentence, which adds both memorability and entropy.

For example, it just gave me: "song surprise calm task", which I might turn into "Sing a song of surprise, and resume your calm task.", which Dropbox's zxcvbn tool estimates at 141 bits of entropy. If a password form has a character limit, you can initialize the sentence, yielding "Sasos&ryct", which zxcvbn rates at a not-too-shabby 52 bits.

[venomsnake]

If we assume that English has 65535 words a four word password gives you 64 bits of entropy. Of course the real number of words that you can use for mass generation is 2k (or even less) if we search words that everyone that is standard deviation or two below the mean on the vocabulary graph can use and spell correctly. Spelling is going after the ability to memorize telephone numbers too with everyone using the crutches of autocorrect and other spell checking tools. The moment everyone uses that scheme the people interesting in reversing passwords will move in that direction too.

This is fake security trough obscurity. You can get pretty secure passwords nowadays by just concatenating your username and site domain and md5-ing them and taking the first half. It generates awesome passwords ... until you are the only one using this way of deriving passwords.

The human brain is not suited for remembering long complex passwords. Even less suited for unique for every service.

[mistercow]

Four words chosen from 2048 possibilities gives you 44 bits of entropy (this is what passphra.se does). If you're being specifically targeted in an offline attack, that won't hold up. But in that very rare scenario, you are already in trouble. A 44-bit password will protect you from attackers trying to harvest from a big pool of stolen hashes, or from attackers bruteforcing the login form on a website. That is not the same thing as "fake security through obscurity".

As for the problem of strong, memorable passwords that can stand up to offline attacks, there is still a gap (a 253 bit password made of 11 bit words would be 23 words long), but I don't think the problem is unsolvable. A project I am interested in working on when I have time is one that produces very long, but memorable high-entropy passwords with rigorously quantified entropy by generating evocative, grammatically structured sentences, using a carefully selected word list and a set of mad-libs style templates.

So to get a ~256 bit pass phrase, you might be left to type out a 50 word poem. It would take effort to memorize, but it would be reasonably doable, whereas memorizing a random 39 character password is extremely difficult for most people.

Moreover, since you'd be working with a limited set of words and grammatical constructs, the password entry form could have robust auto-correction so that typos and spelling errors wouldn't be a significant problem.