I should point out that multi-word passwords have at least one disadvantage: if you can figure out which letters were used and/or the password's length, and you know the password is multi-word, then it becomes easier to derive what the password was.

So, for example, if you used a multi-word password on your ATM machine, and someone aimed an infrared camera at the machine after you left and retrieved the set of buttons that you pressed, the game would be over if your password were short--or at least much closer to being over if it were long.

Alternatively, an attacker could eavesdrop on your keyboard sounds and capture the timing of the clicks, thereby inferring candidate sets of letters. Or they could examine how much oil is on each key of your keyboard, or how much each key is worn, and adjust for the stats on the English language, etc.

Or, as in the ATM case, an agent could interrupt you right after you've entered your password on a false pretext ("Excuse me, I need help.") and surreptitiously take an in infrared photo of your keyboard. This is plausible in many semi-public scenarios (bank teller, etc.)

I think the saving grace here is that a sufficiently long password uses most letters in the English alphabet--but it is still prone to attack if you can at least get the relative ordering of some of the letters, or you know the password's length (by listening to the number of keyboard clicks, for example).

Yes - I didn't mean to imply passphrases are not good, I just meant that sufficient entropy is required no matter what you do.

By the way, it's a bit easier to discuss bits of entropy rather than number of possibilities. Assuming each possibility is equal (which is NOT true if you pick the password yourself, rather than randomly) then the entropy would be the logarithm of the no. of possibilities. Generally people use base 2, so:

Random 12 digits alphanumeric: 71 bits of entropy Four common words: 30 bits of entropy Five words: 60 bits of entropy

The multi-GPU cracker on the frontpage today would take 500,000 years to crack the 5 word password if it was stored via bcrypt (according to the article, which sadly did not specify the work factor). The four common words one, however, would fall in just four hours!

P.S. It isn't actually hard to remember a complex password. Almost anybody can do it! The passphrase method is actually not dissimilar to the technique I use. Say the password started "OK53B3" (I just generated this in LastPass). OK, let's figure out a way to remember it. OK, I thought of a way to remember the first two letters ;) 53.. 54 cards in a deck with the jokers, so we've lost a joker. "OK, guys, we've lost a joker" "B3" sounds like someone with a few missing teeth saying "be free!" so I'm imagining a toddler throwing the joker out of the window going "be thfree!"

Very rapidly this will shortern as your memory of it strengthens with repetition (if you're entering this password every day - I recommend using a password manager so you have just one secure password you enter every day). After a few days it will be "OK missing joker be three" etc then just the password itself. After a bit longer it just becomes muscle memory - I couldn't actually recite it easily anymore, but I type it in seconds.

The important thing though from an entropy perspective is that whether you are making a story for your passphrase or for your password, the story comes second. Generate the password / passphrase and then create a story, this assures that each possibility is equal as I mentioned earlier (if they are unequal, there is less entropy).

Of course, I recognise that even with a good memorisation technique, passphrases still beat out f%8D( from a learning curve, ease of use, and accessibility standpoint. The reason I've stuck with the ugly and relatively short passwords is purely so I can type them in as fast as possible!