Low entropy (Score 2, Interesting)

It bothers me that few people seem to be appreciating that a 4 or 5 _word_ passphrase (as given as examples in the original article) really doesn't have much entropy at all.

Robert points out it contains capitalisation. Yes, the first letter of the first word of the sentence! And also that it contains punctuation - grammatically correct punctuation, thus so predictable as to hardly register!

He then goes on to claim how amazingly secure these 20 or so character long strings are. But in fact he's now counting in the wrong units - its number of words that matter, not characters. To crack his examples, all it takes is a different approach. It would take a dictionary (online? there's enough of them!) of common words and some simple grammatical rules and you could begin to brute force pass-phrases. And then it comes back to the old obscurity rules - made-up words, random punctuation, etc.

I admit it could work for a while, but if the world adopts this in a year's time there will be computer scientists (and linguists) the world over wowwing everyone by guessing their passwords.