You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.

A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you more. Taking all that into account, my best gut feeling is that you'll end up somewhere in the area of 10^10 in complexity for an 8-character output. Better than passwords (which I've repeatedly estimated at around 10^7) but still not so great and probably much less than you'd expect.

Also, taking into account psychology and the fact that a fairly small set of phrases is much more popular than all the others combined, and that many users will choose a popular phrase instead of a personal one, you would also end up with the "password"-as-my-password problem in that a lot of accounts would have phrases from a list of maybe 1000 popular ones.

Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:

We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.

What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.

That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.

What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.

Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.

Nonsense. The time of naked chess has finally arrived.

You know, just like the TSA will soon make naked flying mandatory.

Also under suspicion: The intelligence of his opponents in those tournaments, because they apparently didn't notice the most obvious strange behaviour ever.

No they can't, the law also states a deadline by which they have to answer and he made sure the deadline is ahead of the exam.

Which AFAIK they also can't do.

He found a valid loophole in the law, the combination of different unrelated government actions. Firstly they created a transparency law (good!) which applies to certain government institutions. Also, they centralized the exams - when I wrote my Abitur many years ago, questions were made locally, by the school you took it, mostly by the teacher who had given the course, so it was based on the material that had actually been taught. There are advantages and disadvantages to that. For whatever reasons, some time between my Abitur and now they centralized everything, which brought the exam questions into one of the government institutions covered by the transparency law. Whoops.

Yes, this is actually a good standard, mod the AC up.

If you can't re-write your policy change or other "equality" demand in a way that doesn't mention gender at all, then it's not actually an equality demand.

On the contrary, I'm working with OpenCV right now in a project, I've read up on a couple very recent papers regarding foreground/background segmentation, and the results are quite astonishing if you compare them to a decade ago. And in some edge cases (especially low visibility, low contrast, slow movement), the computer can beat the human eye.

But in the vast majority of cases, especially when the machine was not prepared for this precise task, there's still way too much crazy shit happening to entrust human lives to it, and machines still make many mistakes that humans look at for a split second and say wtf?

Yes, but not having the door locked makes even more sense form that perspective. Plus there's been at least one case (that I know of) where a passenger (who was also a commercial pilot) landed a plane after something happened to the pilot/s.

Because you can't see that poster from Japan. Both the writing and the reading happens in the USA, due to physical restrictions.

The Internet is not bound by these restrictions.

Here's the realistic options that Google has:

1.) file an appeal
2.) comply with the court decision
3.) stop doing business in Japan, effective immediately

For some rea$$$on, I'm pretty sure that contrary to the usual USA-supremecists big talk here, #3 will not even be seriously considered within the Google HQ.

Because of a bad analogy. A poster put up in California is not visible from Japan.

When you pull your head out of your ass, you can see the rest of the world more clearly. Try it.

Thankfully, Google is not a 3 year old throwing a temper tantrum, like you'd like them to be.

including? What are the other options? Simply ignoring a court decision? Of course, they're a big american company with a big american attitude including the "our laws are the laws of the world" approach (we can sue everyone everywhere for everything that's illegal in the USA, but we don't accept other countries laws as valid to us, even when we're doing our business there).

I'm split on the court decision, adding more information to something is generally the better approach over removing information, but other than some fanatics I don't think free speech trumps absolutely every other right and consideration on the planet, and when someone knowingly spreads false factual information about you, the line has been crossed.

TFA (and many articles on the subject - disclaimer: I live in Germany and read local news sources, too) forgets to mention something important which is very likely the reason that he gets job offers:

He didn't just send a "here's my cute idea" letter. He actually studied the law in question, his letter is said to be full of legalese mentioning all the important paragraphs. The letter is so that the agency responsible for handling them is now looking if they can find an actual, valid reason to refuse his request, because they couldn't on purely formal reasons (which they usually use when refusing a request they don't like).