Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.
But, at that point… if you are using a password manager/vault anyway…
Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).
![TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you.](https://lemmy.world/pictrs/image/31a5b1e1-4330-4a27-aa88-cc47a25acb05.jpeg){kind=link}
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.
But, at that point… if you are using a password manager/vault anyway…
Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).
Passphrases everywhere, add dialect to make it harder, symbols if you like. Crazy but short passwords for limitations