I suspect that Kent is right that most pass phrases don't have over 50 or 60 bits of entropy, far below the 128 bits of protection that we like to think IDEA is giving us. There's an interesting issue here: is it feasible to construct an enumeration based on the 50-60 bits of information? If not, the protection is rather stronger in a practical sense. But if one can generate a reasonably comprehensive enumeration, then an enemy who can brute-force (say) a 56-bit key could attack a PGP keyring as well. It should be more or less obvious to this group, but it bears repeating anyway. The number of possible keys sets an upper bound on the difficulty of attacking a system; it says nothing about the lower bound. (Proof: a monoalphabetic substitution on English has 26! possible keys, which is about 88 or 89 bits. But solutions are extremely trivial.) Passphrases aren't 128 bits -- but they may be quite strong nevertheless.