[derefr]

What password length would you need to get away with a plain-old grammatical english sentence (i.e. very much non-random selection)?

For example: "and in the swept plains of winter's vale, our hero did beseech the emperor to send for his forces" -- what would be the difficulty in cracking that, given that this isn't a quote from a book or anything, but just a sentence that popped into my mind and seems easy enough to remember?

[danielweber]

Almost 20 years ago I saw a great password-picking article that still holds today. http://world.std.com/~reinhold/diceware.html

Take a list of 6^5 words. Roll 5 dice. Take that word from the list. Do this 4 more times. You now have a five-word passphrase like "moire fraud 80 row bernet".

Even if someone knew the exact method and list you did to get that passphrase, there are 28430288029929701376 combinations, giving you over 64 bits of entropy.

Someone has probably tried to rainbow table all those results for MD5. If a core can do 1 billion hashes per second, it would take 900 core-years to build a complete list of all those combinations, which is probably feasible for a small group to put together, but messing with the list just a little bit or adding a 6th word would likely put you past that even for a crappy MD5 hashing.

[salmonellaeater]

Shannon did an experiment that found the entropy of English text is about 1.6 bits per character. This is probably a high estimate, since the kinds of sentences you might think up for a password probably have lower entropy than if you used a source of random bits to generate valid sentences.

[enscr]

My God, are you going to type all of that or will you need a script to do it for you. Watch out for those touch-screen thingies people are touting around.

[kamjam]

http://keepass.info/

Some things you don't always need to use from those touch-screen thingies

[enscr]

That's a funny choice for the name. Is it kee-pass or keep-* ?

[Semiapies]

With Swype and similar programs, passphrases are pretty easy to enter.

[enscr]

I know there are tools & password vaults but what %-age uses them? Secondly, those password managers are introducing another possible vulnerability where you don't have control.

[Semiapies]

Swype is a text-entry interface.