Google currently gets it right, but a lot of IT departments I've encountered are absolutely adamant about things like "must contain 1 number, 1 symbol, 1 uppercase, 1 lowercase" etc, essentially enforcing a completely non-memorable string of 8 random characters.
1) Take a state of the art text compressor like cmix (http://mattmahoney.net/dc/text.html#1243)
2) Compress a very large corpus of text with it.
3) Edit the compressed file, and add 16 random bytes to it.
4) Uncompress the text, and recover the part derived from the random bytes (for most compressors, the compression is sequential and it'll be at the end).
5) You now have a passphrase that sounds very natural and has 128 bits of entropy. It might be a short one with a rare word, or a longer one with more common words.
(P.S. I've tried to do it with cmix and got good results, though it didn't always work, so I suspect there is some redundant information in the compression to detect potential corruption).
Most of the prisoners was almost to be resonated from the heads; I was, Tom, they no no alley to the old man's face. For some yellow the insert wing, and
muscle and the reg'lar great world to his haunched.
Tom becamethen because it's a distance, I'll get any.
It needs to have a stronger prior on grammatical rules, but overall making sensible sentences with a given amount of entropy is a good way to go about this.
So, sort-of, I guess.
I'd be interested in hearing how to accurately estimate passphrase strength assuming the attacker has perfect knowledge (ie, that you used Wordentropy to generate your passphrase, approximate length, etc).
In reality, though, no attacker will have this. Your password hash will be brute forced along with thousands or millions of others, so I think it's accurate to look at the password as a semi-random bitstream. In that case length trumps all other characteristics when it comes to security.
This is one of the reasons I don't recommend patterns as with the one mentioned elsewhere in this thread. While something like "[category] [words] [name of service]" might aid memorization, the pattern will leak if a weakly-protected secret is compromised, allowing an attacker to approach more important secrets.
Also, it depends on how popular the scheme becomes, you never know! :-D
email correct horse battery staple gmail
social correct horse battery staple facebook
dumb correct horse battery staple imgur
bank correct horse battery staple stupid-bank-inc 0!A
It's no more secure than using the password everywhere.
I mean, I understand the idea but I would much rather a short script that I can run locally.
Edit: See answer below. Apparently this is possible. Sorry!
> and/or thir reverified Erastatus
> divers Clymenus unreconcilably iarovized