>I mean, how many memorable punctuation-mangling strategies are there on a common phrase anyway?
How do you define common? The person has the entirety of literature, movies, music, etc to draw from. They might select any given fragment of a work, and the attacker has no way of knowing where the fragment begins or ends.
Is a purely random key strictly more secure? Sure.
But my goal isn't to get the purest possible level of security; it's to get normal people to use something more complex than the 8-14 character passwords they generally use now. I'm certainly not claiming it's perfect, but it's a simple to understand scheme that most non-technical users will be able to understand and use that will protect them from all but the most dedicated of attackers.
Just like someone told to select an arbitrary password might select any sequence of characters. They might theoretically select anything, but most of them will choose something like 'password'.
So with your users. Star Trek fans are going to choose "makeitso". And a database of famous quotes will catch them.
What I'm really getting at, though, is that I think playing cat and mouse with professional hackers is a losing game. You shouldn't spend a few seconds trying to come up with something that they won't think of when it's their entire vocation. You're just not that creative, and too many people think alike.
Just roll dice. That way your choice is provably random.
How do you define common? The person has the entirety of literature, movies, music, etc to draw from. They might select any given fragment of a work, and the attacker has no way of knowing where the fragment begins or ends.
Is a purely random key strictly more secure? Sure.
But my goal isn't to get the purest possible level of security; it's to get normal people to use something more complex than the 8-14 character passwords they generally use now. I'm certainly not claiming it's perfect, but it's a simple to understand scheme that most non-technical users will be able to understand and use that will protect them from all but the most dedicated of attackers.