[unfamiliar]

> but that concern is moot if you use unique words

You could say the same thing about passwords using random characters. The problem isn't getting people to remember them, it's getting people to use random passwords/unique words in the first place. Telling people to "use a long sentence" will just result in them picking common sentences most of the time like "To be or not to be" or "Live long and prosper".

[hawkharris]

Well, let's say you have a 5-digit password made up of letters and numbers. That's 60466176 combinations.

Now let's say you have a 4-word passphrase. There are about 120,000 words in English. There may be more if you include derivatives of words. That includes 2.0736e+20 combinations, not considering the entropy introduced by spaces between words or punctuation marks.

That's just to demonstrate the power of passphrases...but it's not quite a fair comparison; no one has such an expansive vocabulary. So, finally, let's assume that a dictionary attack includes 20,000 of the most commonly used words, and all of the user's words are common, by this standard.

The result is still 1.6e+17 -- again, not including spaces or punctuation: significantly more than an alphanumeric password.

[peterwwillis]

It really doesn't matter how much entropy exists because password crackers do not use linear keyspace searches, they use advanced heuristics to guess the most likely possibilities first. The major flaw in passwords is that humans choose them and humans are fairly predictable.

If a site generates a password for the human it would result in a more even distribution of randomly-generated passphrases and reduce passphrase re-use across different sites. The human could then write it down or memorize it (or record it in their password manager, which defeats the purpose of using passwords entirely).

Passwords are mostly dead at this point, and more two-factor service providers need to pop up to prevent over-reliance on passwords. http://twofactorauth.org/

[ufmace]

I think even the 20k most common estimate is way high. Think up some words yourself, and look them up in a frequency list. Most of the stuff I came up with of the top of my head was around 4-6k down the list. Look down to 20k and you get stuff like decorum, decked, daylights, daybreak, etc. When was the last time you heard anybody use those in a conversation?

I bet that with a little work, you could come up with a list a few thousand long that would get most of the passwords people come up with like that.

For my memorable passwords, I switched to using [0] pass phrase generator, which comes up with much rarer words than I do off the top of my head.

[0] http://www.fourmilab.ch/javascrypt/pass_phrase.html

[1] http://www.wordandphrase.info/frequencylist.asp

[2] http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists

[Terr_]

> There are about 120,000 words in English [...] That includes 2.0736e+20 combinations

You forgot using common sense: The number of words most people will actually choose to use is far fewer.

[hawkharris]

It sounds like you stopped reading my comment after the first paragraph. I later accounted for the reality that people have limited vocabularies.

[sejje]

It's pretty unfair to compare against a 5-digit password.

[OscarCunningham]

Not really. The question was whether words are more or less secure for a given level of ease of memorisation. I'd say 5 random characters are about as easy to memorise as 4 random words.