By contrast if I choose a pass phrase to an online service, then my opponent can test his guesses only by interacting with the service. If I impose a cost of a few pennies on each wrong guess then I can use much shorter pass phrases than would be required to produce the crypto keys above. If I can capture the price of the wrong guesses then I can even make money from an opponent. This is called an ‘online’ attack.
I have sometimes confused the two kinds of unguessable. The crypto keys require perhaps 100 bits of entropy where the pass phrase requires more like 20 to 30 bits, depending on the value that I am protecting.
The Unix style of hashed login passwords is unfavorable because it requires pass phrases with 100 bits of entropy, in order to protect against off-line dictionary attacks. This is due in part to the nature of Unix that requires the hashed pass phrases to be readable by too many programs.
Cookies used to authenticate HTTP requests may require less entropy than the related SSL secret session key.
This distinction also weakens one of my argument against Cookies with SSL.
This importance of this issue became clear to me following comments by Bill Frantz.