Schneier's blog makes the claim that my random sentence passwords are easily crackable because words like that can be farmed from information they have on someone... except there's an issue with that sentence. If I used ihadatastybrunch as my password and someone used a rainbow table and password cracking methods that involved harnessing words from social media, forums, etc... (not counting this one), there is NO WAY my password would be cracked! I've never said the word brunch anywhere online, it's just a random word that popped into my head and I made a sentence about it. "Oh but it's a sentence, so the algorithm can get rid of any grammatically incorrect passwords" Have a good time with that... your program is going to be horribly slow. And he suggests these horribly inconvenient methods of creating long passwords of complex characters completely randomly and storing them encrypted on your computer with some master password (single point of failure)... 'cept if you're not doing regular backups and/or you've made a password change and you have a hard disk failure, then you can say bye-bye to your passwords. Or if you decide to use some sort of password management that's internet-enabled and stores in the cloud, you've just hugely compromised your password. The end goal of making a password is balancing usability with entropy. If your password is so obscure and unmemorable that you forget it and have to reset it, it is a poorly usable password. Every time you do a password reset, you're opening your account to theft. Luckily, you can open a Merriam Webster dictionary, flip to a random page, point at a word, repeat 3-5 times, and you've got a secure and memorable password. Hell, you can use a random number generator to choose your words... and the only way someone can crack your password is if they have a few ____illion years to spare and/or they just happen to know that Scott used plaintext words in his password, which is an assumption that's completely broken by throwing just one @ or 1 in the mix, but isn't even worth that effort. I honestly can't fathom why he'd say "correcthorsebatterystaple" is crackable by harnessing information... maybe that's why Blowfish and Twofish are hardly used outside of crypto classes.