I don't even think you can say it's impossible to create your
secure phrase. maybe not provably secure...but you can
easily create weirdness and entropy using mental techniques,
and add additional entropy with nonsense words, misspellings, and throw in a few
A lot of people have screwed themselves badly this way— you are not a unique and special snowflake, the ways and manipluation people will come up with when they are trying to be "random" is fairly predictable, and that the same properties which make keys easy to remember make them more predictable. Studies of have shown people picking _more_ predictable passwords when explicitly instructed to be unpredictable. Modern password cracking is a statistical study of psychology, powered by "big data" analysis on information culled from huge leaked plaintext password databases and sources like twitter and the forums.
Using a fancy technique may really only be adding a few extra bits of entropy, and worse it's very hard for you to reason about how much entropy you have and an attacker with more powerful statistical tools than your intuition may find your key with only moderate effort. For this reason it is far better to use a random technique (e.g. dice or a computer CSPRNG) and just add a couple bits directly, then there is no ambiguity.
(Though this is all without regarding the very real risk of forgetting— almost no one is prepared to deal with cryptographic secrets which _cannot_ be recovered if lost, and most people drastically overestimate the strength of their memory)
Whenever a website turns up having a security breach and we find it was using unsalted passwords everyone cries out claiming that the operators are incompetent fools (perhaps even criminally so) and yet thats exactly what a human generated "brainwallet" is— an unsalted hashed password, but worse: they're publicly visible to everyone so someone doesn't even have to compromise a system before they start cracking.
I do agree, its better to use computer generated randomness.
But, I'm still not convinced it can't be done.
If I wanted to use elements from my day yesterday -- say the name (which I can't even spell
correctly) of the lady at the Chinese take out place... or, a word from an episode title
that I watched with my wife... or the raw name of an AVI file that I burned, etc, or
the current time, ...maybe those methods are predictable but there is still entropy.
I can also devise a "predictable" but still effective ordering method.
(the method can be predictable, but doesn't mean the results can be
predicted)
if go with 100 as a lower bound of words people commonly choose, and
if I choose 25 random things, now you're talking 100^25, that's 160 bits of entropy.
Also, where do you draw the line between human-chosen and random?
If I write down random words to form a candidate word list, is it still
random, or does it have to be completely off the top of my head
without the help of rudimentary tools such as pen and paper?
Generally, it is probably best not encourage this kind of thing,
as the risks outweigh the rewards. I just wanted to make the point
that it is not impossible if one is careful and understands the dynamics
and the numbers.
My answer to forgetting passwords is steganography. Hide the backup on your own machine
in an image, mp3, or series of carriers if you really want to be paranoid.
When it comes to difficulty of memorizing something, I think people
are forgetting that the human brain remembers what it considers
to be important. If I place a high importance of remembering my
bitcoin password, (and if I rehearse it), then I'm sure i could
retain a very long password for a very long time.
I think the average person can easily remember a 12 word passphrase
if they have a substantial amount of money in it.
