It bothers me how much folks parrot this XKCD, especially using it to imply passphrases are superior. They are in fact not! Four common words are definitely easier to remember, but is it really feasible to remember hundreds (thousands?) of truly unique four word combinations easily? I would argue strongly it’s not for most people, so then you’re still using a password manager for the vast majority of passwords. Yes, you still need to remember a few, where then passcodes are ok. Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length) which may not allow for your passphrase as suggestingly formatted by XKCD, thus needing a password manager more.
If we are using a password manager as we should be, there is no real justification for using memorable passwords for the majority of passwords. Let’s use the example from XKCD:
correct horse battery staple = 2048^4 = 2^44
If instead we use the same length of 28 characters with the full range of characters allowed by most websites:
M4Uk@gQRU!JFgwlI6MV$VV39TEA. = 70^28 = ~2^172
Dunno about you, but I’ll gladly take significantly more entropy with zero extra cost any day.
