I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords. Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method. And there was a questioner from the audience who noted that, whenever you popularize a particular formula for making passwords, attackers can develop dictionaries tailored to that formula.
What if we turn the problem around? What if, instead of treating memorability as the constant and strength as the variable, we treat strength as the constant and memorability as the variable? Suppose we have the computer choose a completely random password, to guarantee good password entropy. The phrase-based technique shows that a phrase can be turned into a random-looking jumble of letters and numbers. With a sufficiently large word list and a basic knowledge of grammar, can a computer turn a truly random jumble of letters and numbers into a memorable phrase?