The dilemma with the pass phrase issue seems to boil down to the balance between entropy and memorability. The "shocking nonsense" guidelines sound like about the best suggestions I've heard for humans to generate pass phrases, but I would suggest that even shocking nonsense can be broken by somebody--or something--that thinks like Charles Dodgson. If it came from a process that includes any logic at all, that logic will be discovered if economical to an attacker. But who can remember a 132-bit true random number? Take, for example: 0X997D6C32FC8F99104FDCC8BF4B24C7031 I got that number by grabbing handfuls of pennies out of a pile of 132--a true random number generator that cots less than breakfast--though, I will admit that it's somewhat cumbersome. But a number can be represented in many different ways. Create a six-bit character set, filling from 000000 to 111111 with a-z, A-Z, 0-9, . [period], and - [hyphen]. Now, the key becomes: Mx1SmVYpMrbp3mI-sYthaX Not impressed yet? Try using the human brain's wonderful talent for seeing patterns in randomness. If your mind just happened to work exactly like mine, you would get: Mx1 misSiles moVe Yp; Mr. bop of 3m I-s Yt haX. [Yt as in the element.] I would suggest that it would only take the average person a minute or two to memorize such a phrase, especially if she were the one to do the pattern-matching in the first place. So, the end result is a ten-word pass phrase that isn't hard to learn, is only vulnerable to a brute-force attack, and would take about a sextillion years to brute-force at a trillion encrypts per second--and the universe is "only" a hundred billion years old. Can anybody suggest how to implement this? Can a computer program suggest mnemonics that would mean anything to a person? Even if the computer gives the user a screenful of such? Or, how about giving a screenful of "words," and letting the user mix-n-match? Obviously, you would need a real random number generator and a secure terminal for all this. Maybe it's time for me to write some code.... b& -- Ben.Goren@asu.edu, Arizona State University School of Music net.proselytizing (write for info): Protect your privacy; oppose Clipper. Voice concern over proposed Internet pricing schemes. Stamp out spamming. Finger ben@tux.music.asu.edu for PGP 2.3a public key.