The intention is that the random words are selected from a list of 2000 unique, common words.

Choosing a sentence is a different strategy, which is less secure.

    $ wget -O ⅓Mwords http://norvig.com/ngrams/count_1w.txt
    $ for i in `seq 10`; awk '/^[a-z]{3,}/ { print $1 }' ⅓Mwords | head -n 2000 | shuf -n 5 | tr '\n' ' ' && echo
    videos possible disease maintenance chair 
    teen documents than without son 
    research interface library largest drive 
    location ball beauty coming files 
    files middle fri meet air 
    guarantee samsung click super inn 
    legal previous rent resort use 
    reply thought better fresh phentermine 
    bad command once vehicle australian 
    fun random professor course sponsored

A random 5 words is hardly simple or easy to remember. The entire selling point of passphrases is exactly that.

It's a hard problem that is IMO best solved with hardware secure keeping of secrets and a rate limited pincode.

You're not supposed to remember all your passwords. You will need to remember at least one master password and maybe a couple more.

But you can't suggest that remembering 5 random words is harder than 20 random characters?

The goal is "simple" if possible, but "simpler" is still a lot better than "practically impossible".

I'm not suggesting that 20 random characters is easier to remember, but for average Joe, it might as well be the same. Not only do they have to remember the words, the sequence, and how to spell them. Unfortunately we cannot expect this from users in general - the worst offenders write down a password like "rocket", so there is no hope that they'll try to remember a sequence of random words.

We shouldn't have remember passwords at all IMO. It's creating entropy by remembering things, but the human brain is inheritly bad at remembering exact things. Things like a yubikey is a better idea, plug it in, enter your pincode, and use a key pair to authentication. All the user have to do is keep track of the physical thing and the pincode.

> A random 5 words is hardly simple or easy to remember

You use well-known the mnemonic trick demonstrated in the last panel of the comic.

Even those 44 bits are too little nowadays. Passphrases are not a godsend, but something good to use when the correct technology - a password manager - is not available.

A notable use case is choosing a master password for your password manager. And you'll want a longer phrase.

the idea is you use a mnemonic generator to pick the words. The fact that "100 most commonly used, make up 50% of written words" (a dubious statistic, source?) is irrelevant.

Here's a mnemonic generator I wrote in Rust https://github.com/leshow/rust_mnemonic for example

> The fact that "100 most commonly used, make up 50% of written words" (a dubious statistic, source?) is irrelevant.

See https://en.wikipedia.org/wiki/Most_common_words_in_English for a claim. It is what teachers use as a guideline. It's the first 100 words they teach children to write.

> the idea is you use a mnemonic generator to pick the words.

I know you are supposed to use a generator to pick the words, that is how BIP39 for bitcoin works. But average Joe is not going to do that. He will select "I went to highschool in 1992". Authentication is a hard problem, and unless you force a reasonable scheme, it will be weak.