>Why do we keep enforcing non-memorable passwords, instead of complex but memorable words?
Because most users' idea of "complex but memorable" is their mothers' maiden name or their favorite album or the city they were born in, maybe with some of the letters replaced with numbers or "123" at the end. Most of us have seen the "correct horse battery staple" XKCD[0] which suggests that a simple passphrase is stronger than a complex password. But how well do you trust yourself to remember a hundred different passphrases as opposed to a hundred different passwords? You won't... you'll probably just end up using something short and easy to remember and sharing the same few key phrases among multiple accounts and then you're basically where you started.
> I also wonder if brute force attacks can’t be effectively limited by imposing a rate limit on login attempts or requiring an email verification every once in a while
Which is fine, unless the password reset questions are guessable, or your email is vulnerable, or thanks to a SQL injection issue the site's entire database has been dumped onto Pastebin. Bruteforcing the site and bruteforcing the hashes are two different issues. That said, I don't know the math well enough to know for certain which solution (password vs passphrase) is really the better one.
