Posted by: Dan O'Connor
How do you like them apples, well these apples.
This is the first analysis of passphrase security I have come across. The short version is that there is insufficient entropy English to provide a system to resist offline attacks >30 bits. My thought on what I recommend is something with a bit of gibberish in the middle or at multiple points, but that starts to slide back to the realm of having users remember impossible passwords again.