Cool Grey, I can give sources backing my claims, can you give sources backing your claims: http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh-keygen+1 well actually I just did part of your job for you as this link says this 1-2 bits of entropy per character in English prose, although they suggest not using it. here is another source that estimates the entropy per bit of English (from wikipedia) https://en.wikipedia.org/wiki/Entropy_%28information_theory%29 I believe that english only levels out to ~1 bit of entropy per character after several characters are used. According to this NIST (draft, although I used to have a non draft copy which was nearly the same if I recall correctly) paper on password strength estimation: csrc.nist.gov/archive/pki-twg/y2003/presentations/twg-03-05.pdf password length :: bits of entropy += 1 - 4 2 - 6 3 - 8 4 - 10 5 - 12 6 - 14 7 - 16 8 - 18 10 - 21 12 - 24 14 - 27 16 - 30 18 - 33 20 - 36 30 - 46 as you can see the first character gives more entropy than subsequent characters. Their estimator only adds += 2 bits of estimated entropy for having a number, += 2 bits for having a capital and += 2 bits for having a special character. So the difference between abc and A*8 is the second is 6 bits stronger, but between abcd and A##9 the difference is still 6 bits. This isn't the best entropy estimation system in the world, but I have compared outputs using this algorithm with outputs from more algorithms I have been told are more accurate, and really the difference between the outputs is minimal. Thus I consider this to be a good entropy ESTIMATOR whereas the other more complex algorithms are actually entropy calculators I suppose. with this algorithm, the estimated strengths of the passwords: 8wF+2Gzb :: 36.0 stonedskittleleprechaun :: 41.0 So many things to remember and do I will just make up a sentence then reptile7* :: 101.5 for an FDE or GPG key you will want to have at least 80 bits of entropy in your password, so only the long sentence would be suggested. For a web based password to a site like SR, you don't really need 80 bits of entropy imo. That NIST paper gives various suggestions of when to use which strength of password.