So to summarize, system-assigned pronouncable passwords should be used over system-assigned passphrases because the latter offers offer no memorizability advantage, and the former is more easily transcribable?
Is anybody here familiar with FIPS 181, and know by how much the pronounceability requirement lowers the entropy? Is it safe to assume it's negligible (as KeePassX would suggest by giving the same entropy values for pronounceable and non-pronounceable passwords of the same length)?
As a first attempt at pronounceable "words", you can simply alternate between randomly generated consonants and vowels. For easiest transcribability and memorizability, I figure they should be limited to 3 syllables, i.e. 7 letters and starting/ending with consonants. Allowing the first letter to be capitalized means five 7-letter words have 5*log2(2*21*5*21*5*21*5*21) ~ 128 bits of entropy. Example:
tasoved Lodimut dafogum Dukukap xujinov
I may not remember this unless I'm using it frequently, but I could transcribe it with a pen or a keyboard really easily. And the paper suggests this is the best we're going to be able to do regarding memorizability, and writing it down usually happens anyway. So why not also make transcribability a priority?
Example using the more sophisticated FIPS 181 standard:
Chrawjo Odimgig gotitio Udruevi Cepshuj
NB: If FIPS 181 manages to stuff more entropy into each of these words than I did above, then this can be made more compact. I have no idea about this.
Edit: I just realized the code I used in the first example left out c, h, q, and y, so the passphrase only had ~ 122 bits of entropy.
