[Discuss] vnc

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Dan Ritter [mailto:dsr at randomstring.org]
> 
> Even though I agree with all this, I have to point out that many
> experiments have concluded that English sentences contain about 1.1 bits
> of entropy per character, and so it is not completely unreasonable to
> create and memorize a 120 character sentence to use as a password.

I wouldn't attempt to measure entropy on a per-character basis, unless you're randomly generating characters.  For example, if given the characters "charact" I bet you'll be able to predict the next character "e."  And if you're randomly selecting words, the number of characters are variable.  And if you're *non* randomly selecting words that are related to each other (such as a sentence) then the measurement of entropy becomes even more vague, and more variable.  Any estimate such as "1.1 bits per character" is very likely to be imprecise and inaccurate.

If you randomly select words from a word list (See the General Service List http://jbauman.com/) there are 2,284 words in the list, which means about 11 bits of entropy per randomly selected word.  If you randomly string together 11 words, it's 122 bits of entropy http://www.wolframalpha.com/input/?i=log2%282284%5E11%29 .  I actually wrote something specifically for this purpose.  https://code.google.com/p/randchars/ 

122 bits of entropy is generally good enough, and with a little effort and repetition, most people can memorize 11 randomly selected words.