Is using 7-8 random words from all words of a language as password a good idea?

Question

The Bitcoin Bip-39 dictionary has 2048 words. And a random 24 of them are pretty secure together. What if the source is bigger (all words in the language) but there are only about 7-8 words? These words will be totally randomly selected by their index.

Answer 1

The Bitcoin Bip-39 dictionary with 2048 words can create $\approx 2^{263}$-entropy by tossing the coin 256 times to choose the words randomly. The random bits are converted into 24 11-bit blocks and every block is mapped into one of the 2048 words by ID. Since the random choice allows repetition, we need $n^r$ not $P(n,r)$;

$$2048^{24} \approx 2.9642774844752946\mathrm{e}{+79} \approx 2^{264}$$

If we assume that English has 171,476 words. Then with 8 words;

$$ 171476^{8} \approx 7.475267765296064\mathrm{e}{+41} \approx 2^{139}.$$ Therefore you will have lower entropy the Bip-39, again. With 7 words;

$$ 171476^7 \approx 4.3593667716158903\mathrm{e}{+36} \approx 2^{121}.$$ Therefore you will have lower entropy than the Bip-39.

As one can see, the choice 2048 and 24 in Bip-39 is clearly designed to reach $2^{264}$ entropy. If you use 16 words as passphrase ( as noted by Dan Neely)

$$ 171476^{16} \approx 5.587962816287441\mathrm{e}{+83} \approx 2^{278}.$$ that will exeed the Bip-39. 15 words reaches $3.258743390496303\mathrm{e}{+78} \approx 2^{260}$.

Is it still considered secure

Yes, it is still secure and beyond the reach of any collective power, like the total power of bitcoin miners that can reach $2^{92}$ double SHA256 hashes in a year.

---

Note: I used to round a lot. I've decided to use full numbers since that changed at least one bit. So, here the Python;

import math

def prinPowInBase2(b,p):

    print(b,"^",p)
    print("\t", math.pow(b,p))
    print("\t", math.log2(math.pow(b,p)+1))
    print("\t", math.floor(math.log2(math.pow(b,p)+1)))

prinPowerInBase2(2048,24)

Answer 2

Yes, 7-8 words selected truly at random make a strong password.

First we should consider what is a strong password, we measure the strength of a method of generating passwords by how much entropy is in it. The XKCD method https://xkcd.com/936/ uses 4 random commom words and has 44 bits of entropy. This is considered a reasonable compromise if you want a memorable password.

If you do not want to rely on PBKF you may need more entropy. random 15 charchaters taken from an alphabet of 64 possible values (e.g upper case lower case numbers and a few more) will give you 90 bits of entropy that is very strong.

8 random words taken from a good quality dictionary with 50K words will give you almost 124 bits of entropy.

With the full oxford dictionary you can get to 170K words, even 7 of those will give you 121 bits of entropy.

The BIP method mentioned has 264 bits which is more, but we hardly need that for a password. Even non memorable passwords from password managers typically don't go this high.