[throw0101a]

> […] having a 40 character password would quickly become a PITA.

Do you have a a favourite song/poem/nursery rhyme?

"Hey diddle diddle, the cat and the fiddle,"

* https://en.wikipedia.org/wiki/Hey_Diddle_Diddle

And you only have to unlock it perhaps once at the beginning of the work day (set auto-lock/forget to 8 hours), or twice a day (morning, after lunch; auto-lock to 4 hours). Once unlocked maybe only ask for confirmation for use.

[sowbug]

Using a phrase in a book or a poem is not much stronger than using a single word as a passphrase. Attackers include such phrases in their cracking dictionaries, including variations on spelling and punctuation. After the initial hashing of the candidate passphrase, a five-letter word takes exactly as long as a 100-character lyric from a song.

There are lots of sad stories of people losing funds in the early days of Bitcoin when "brain wallets" were briefly popular. Victims used quote-based passphrases that seemed unguessable.

The threat model is a little different when it includes getting access to your encrypted password-manager database or OpenPGP smart card. But the point stands that a well-known phrase might as well be a dictionary word.

[encryptluks2]

To me it makes more sense to use a longer password for FDE, and maybe have it have it cached into the TPM but with a shorter unlock code for resuming, locking, etc. It might make sense to have a two tier password for password managers though. Like a hot/cold.