Comment Re:XKCD (Score 2) 487
You are totally missing the point.
Instead of using an "alphabet" with 26 characters (or 52 with capitals, or 70-something with capitals and punctuation) and choosing a short random string, you use an "alphabet" with 5000+ ideograms (i.e., words) and choose a short random string of these words.
For simplicity, just suppose there are 5000 commonly used English words. Then there are 5000^n passphrases of length n (i.e., containing n words). Obviously, this is much, much bigger than 70-something raised to the n. It does not matter that it is smaller than 70-something raised to the number of characters in the passphrase.
As a matter of fact, my computer's word list contains about 95,000 words. Try to guess the password I will generate with the following algorithm:
Pick 7 random numbers between 1 and 95000. Look at the word indexed by the random number. Memorize.
My PRNG yielded:
74019,69542,70792,42388,32916,63978,55632
which maps to:
purchasing persecute platitudes escalations consummation mum intoned
A quick calculation shows that such a scheme has about bits 115 bits of entropy, compared to less than 44 for a "character" password with the same number of random tokens drawn from the alphabet.
So what's the big deal about using words instead of just longer random strings in the smaller 70-something character alphabet? You would need an 19 character random string drawn from an alphabet of 80 to get as much entropy as 7 words drawn from a dictionary of 95000 words. Clearly, the latter is far easier to memorize than something like "DtnqaELdIA=vozSkC" and provides the same cryptographic strength.