Great username btw
If we are using a password manager as we should be, there is no real justification for using memorable passwords for the majority of passwords. Let’s use the example from XKCD:
correct horse battery staple = 2048^4 = 2^44
If instead we use the same length of 28 characters with the full range of characters allowed by most websites:
M4Uk@gQRU!JFgwlI6MV$VV39TEA. = 70^28 = ~2^172
Dunno about you, but I’ll gladly take significantly more entropy with zero extra cost any day.
But If I need to login on a device where my password manager is not installed, or you can't use a password manager (e.g. windows UAC prompt, linux tty), it will be way easier to open my password manager on my phone and type a password rather than a long random string.
I don't use a passphrase for every login, but for some logins where I think it could be benefitial to easily type it without using autofill I use them.
See my reply to sibling commenter, I had already covered this case in my original post.
>I don't always drink beer, but when I do...
>> using a password manager for
>> the /vast majority/ of passwords
Added emphasis to what I said previously to show I had answered that already.
IMO, pass phrases only seem useful if you have a quite insecure password. It is ideal to aim for 115-128 bits of entropy, which is not that bad with just random lower case letters and numbers (24 characters is good) but turns into a long and complex passphrase. To learn a random password write it down (split into groups of 6ish characters) and copy it from the paper for 2-4 weeks (do not try to guess until you are almost certain your guess is correct).
Secondly, jsjohnst was not supporting silly password rules, merely pointing out that a password manager can make the password rules less of a hassle to comply with [https://news.ycombinator.com/item?id=39690528]:
> Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length)
