Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
This is sort of a re-tweet, but having studied a bit of the science behind cryptography over the years (I once ‘invented’ an encryption algorithm and even presented it to a cryptography expert (being ignorant can have amazing payoffs if you are lucky); only later did I realize how cheeky I was and later still after doing some entropy analysis did I realize that my algorithm sucked massively) I have a very good feeling about this. Diceware is a very simple, yet elegant and effective way to produce passphrases that have a useful amount of entropy (the article does a decent job of explaining this) yet are feasible to remember. While unnecessary, throwing capitalization and/or punctuation adds a few more bits of entropy against those performing an attack.
A note to reinforce the comments regarding using this technique for websites/cloud authentication: it is not feasible to test a trillion passphrases a second across the Internet against a busy server so it isn’t necessary to have the same level of entropy. Also, there are plenty of attacks that make having the best passphrase irrelevant anyway. This Diceware approach is for securing things you have physical control over (though, a note to you paranoid types: physical control is not total control if the device can ever be accessed via a device that has ever been connected in any way to any network that has ever been connected to the Internet at any time).
