This is mostly a followup to my original post on easily generating passwords from a mnemonic. It was prompted by a comment by Francesco Sullo advocating against the method, saying “If the attacker is a cryptoanalyst and he catch two of your generated “super secure” passwords (for example, because you login into his websites) he can easily discover your method in minutes.”
The premise is false, and here’s why…
For an attacker to decipher the password, I either have to be using commonly known phrases or sentences from well known books (which I don’t) or the attacker needs to scan every book in print and out of print, which is quite unlikely. Mind you the text can even be a phrase, as demonstrated in my reply to him, which no attacker would ever hope of guessing unless it was made public at some point.
As a side note, I created a quick little utility that does the hard part. There’s ample room for improvement for sure, but it gets the point across that book cipher cryptography is only weak when the source is known.