[Discuss] vnc

[Edward Ned Harvey (blu)]

I know this is beating a dead horse, and also OT for the vnc topic.

Suppose you pick a word randomly from a word list, suppose it's the GSL, and the word selection is worth approx 11 bits of entropy.  If that word happens to be "a" then you have 11 bits per character.  If the word happens to be "experience" then you have 1 bit per character.

If you're choosing a sentence as a password, I think you should probably estimate its entropy using its word count rather than its character count.  And since words are not selected randomly, you should not count 11 bits per word.  

To put a bound on that estimate - I claim 11 random words from the GSL gets you ~121 bits of entropy.  On average this would be 64 characters plus separator character, so 74 characters total.  By comparison, as Dan says estimate 1.1 bits per character in a sentence, that would be 110 characters.  The ratio here is 0.67.  This would mean that each word in a sentence is 0.67 times as random as a perfectly random word.  I don't buy it.  I swear that measurement is grossly overestimated.

So if you introduce a fudge factor - let's just suppose that each word in a sentence is at most 0.2 times as random as a purely random word (seems about right by my gut feel).  Then you'll need 5x more words in your sentence, which means 55 words.  On average that will be around 320 characters.