It bothers me how much folks parrot this XKCD, especially using it to imply passphrases are superior. They are in fact not! Four common words are definitely easier to remember, but is it really feasible to remember hundreds (thousands?) of truly unique four word combinations easily? I would argue strongly it’s not for most people, so then you’re still using a password manager for the vast majority of passwords. Yes, you still need to remember a few, where then passcodes are ok. Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length) which may not allow for your passphrase as suggestingly formatted by XKCD, thus needing a password manager more.

If we are using a password manager as we should be, there is no real justification for using memorable passwords for the majority of passwords. Let’s use the example from XKCD:

correct horse battery staple = 2048^4 = 2^44

If instead we use the same length of 28 characters with the full range of characters allowed by most websites:

M4Uk@gQRU!JFgwlI6MV$VV39TEA. = 70^28 = ~2^172

Dunno about you, but I’ll gladly take significantly more entropy with zero extra cost any day.

I don't remember all of them and I use a password manager, that's true.

But If I need to login on a device where my password manager is not installed, or you can't use a password manager (e.g. windows UAC prompt, linux tty), it will be way easier to open my password manager on my phone and type a password rather than a long random string.

I don't use a passphrase for every login, but for some logins where I think it could be benefitial to easily type it without using autofill I use them.

Yep. For most logins, a password manager is the way. But there are some you are simply going to have to or want to remember (password manager key, workstation login), and for those, passphrases are better.

> for some logins where I think it could be benefitial to easily type it

See my reply to sibling commenter, I had already covered this case in my original post.

UAC supports clipboard, I use managed passwords with it.

>I don't use a passphrase for every login, but for some logins...

>I don't always drink beer, but when I do...

And if you were to add a few additional characters scattered within the passphrase?

What about your login password though? Or an email password which you occasionally need to access on a machine you don't control? Those are the passwords where I use a passphrase.

Doesn't the assertion that correct horse battery staple = 2048^4 require the attacker to know that you're using this pattern?

It might make a slight difference or it might not, but you can't know that it will so best to assume that it doesn't. In practice the amount of computing power actually available is going to make much more difference than the method used.

IMO, pass phrases only seem useful if you have a quite insecure password. It is ideal to aim for 115-128 bits of entropy, which is not that bad with just random lower case letters and numbers (24 characters is good) but turns into a long and complex passphrase. To learn a random password write it down (split into groups of 6ish characters) and copy it from the paper for 2-4 weeks (do not try to guess until you are almost certain your guess is correct).

The XKCD is not arguing against password managers. It is arguing against websites mindlessly imposing silly rules on passwords, as you are.

Indeed, the XKCD comic Password Strength does not argue against password managers, but sometimes when someone posts that comic I wonder why they need to come up with a memorable password given that password managers exist.

Secondly, jsjohnst was not supporting silly password rules, merely pointing out that a password manager can make the password rules less of a hassle to comply with [https://news.ycombinator.com/item?id=39690528]:

> Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length)