Misinformation like, "Always use a reputable cloud password manager, like LastPass?" Along with a trusty antivirus, am I right?
To be further contrarian, if the common man is going to use a password manager, use Chrome's built-in auto-fill, without antivirus or other 3rd-party bolt-ons, be they LastPass, KeepPass, 1password etc. You know who Tavis works for, right? Chrome's application security is best of breed, and its password manager does what it's designed for, at least.
I was responding to your nonsense advice that 12+ character random ASCII is somehow better or more secure than a "correct horse battery staple" or diceware-style password. They have identical security properties, given appropriate choice of N.
If you are going to memorize passwords, feel free to memorize ASCII gibberish if that's what you are into. Or memorize random phrases, since many (most?) humans find those easier to remember.
You're right, I misremembered the number of rolls for diceware. I guess your passwords have an extra bit over mine. How many 12+ character passwords are you able to memorize? How long does it take you to learn a new/changed one?
> How many 12+ character passwords are you able to memorize?
As I need to enter on a regular basis. In practice, no more than half a dozen. Usually I have 3 or 4 in use. Might be work, personal, and a couple for crypto.
> How long does it take you to learn a new/changed one?
Depending on the length, 5-10 minutes of continuous training to be confident if it's one I'm going to put into immediate use.
The point is to go straight to pure muscle memory without using a mnemonic crutch. Ultimately for a password that you're typing on a multiple-times daily basis, you're going to be relying on muscle memory anyway. If you're trying to remember what came after the correct horse battery, or if the correct came first or last, you've already lost. "limbdumaslaterjuramondo" gets me no closer to login if my password is "limbdumaslaterjuramondohalf" if I've forgotten nonsensical "half" than "+D%W}B_]7|~y" gets me to login if my password is "+D%W}B_]7|~yd" and I've forgotten "d".
You're going to be typing the password with your fingers, so learn the password by typing it with your fingers until it's automatic, not by conjuring a sequence of unconnected mental images. It actually saves time.
I doubt most people type their passwords multiple times on a daily basis, so dismissing mnemonics with "just use muscle memory" doesn't look practical to me. And they're not incompatible, actually: you can eventually commit to muscle memory a diceware-like password, but in the meantime (or if it slips out of muscle memory) you got mnemonics ie. clues.
As far as I'm concerned, I've tested some diceware passwords for some months, and I would say they served me all right. I "name" my passwords by their initials (first letter of each word), so there's no risk of missing a word or swapping some.
If it works for you, great. Maybe I was being deliberately controversial calling xkcd/diceware bullshit. Kudos for raising bad password awareness and improving practices, I suppose.
But, I still contend it basically knocks down a straw man with bullshit. Yes, they correctly point out that if you're using a mnemonic method, a long passphrase is better than a short password. I'm pretty sure the PGP folks pointed that out at least a decade or two ago.
At the end of the day, if you're not using, recalling, and exercising a strong secret, you will forget it. That's how memory works. With Diceware you have three things to learn; your silly mnemonic, what it translates to, and how to type it quickly. True, you might (just might) forget the muscle memory of exactly how to type it before you forget the entire mnemonic, and then be able to recover the password from your memory of the mnemonic cues. That seems intuitive, at least, but misleadingly so.
But my years of experience has taught me that muscle memory is the most durable memory. There's nothing inherent in "correct horse battery" that's going to give you "staple" once you've forgotten it; it's gone. It was random, after all. If you're not exercising and remembering your secret, then you have to have a backup to fall upon--written down or stored somewhere? If your goal is muscle memory with minimum pain, fewer, maximally-random higher-entropy keystrokes is better.
I don't think most people sit down at their desk all day uninterrupted without leaving. I lock my terminal when I leave my keyboard and type a password to unlock when I return. I enter a password whenever I unlock an encrypted volume (e.g., to get other passwords).
You can use biometrics or tokens, but purely memorized passwords can have unique utility. In America, for instance, you generally can't be rubber-hosed to give up a memorized passphrase, and it's not generally a crime to do so. You can be compelled in a variety of settings to provide a physical token, including biometrics, or disclose their existence. There can be civil coercive techniques to pursuade you to give up a password, but at a bare minimum, in a criminal situation or where the 5th amendment applies under my current understanding you cannot be forced to give a password from memory.
Of course if you're the surveillance target of a nation-state then potentially they can do what they need to do to covertly intercept your passphrase through physical access, evil maid etc., but that's a different ballgame.
A "better" password that you share between accounts is far worse than less strong passwords that are unique to each account. "+D%W}B_]7|~y" might be unfeasible to brute force, but that doesn't do much good if it turns up as plaintext in a dump and you've used it for all of your work or personal sites.
What? Where did I say I share these passwords? I don't. Go up to my top post. Passwords of any importance are unique, also random, and stored in a text file in an encrypted volume (with a unique, strong, memorized key).
The only non-unique keys I use, are also nonrandom, and used for accounts with no security consequences. Like this one.