> I pushed Lastpass to my company in 2017, made everyone use 24 char.
Do people actually memorize that?! If so, I strongly suspect that these pass phrases have much less entropy than 24 truly random characters would allow.
Five English words have an entropy of about 55 bits [1] "Spicing them up" probably adds a handful more, but not much.
That's about as much as a 12-character truly random case-insensitive alphanumeric password without special characters (log2(36^12) = 62).
> In 6 years I have had zero password reset requests.
What do you mean by that? This can mean that either your scheme is secure, or that nobody has ever attacked it (or you haven't found out that it did happen).
Depends if you are counting correct and common English words. But yea it’s close to about 12 char anything you can hit on a keyboard entirely random. I figured 3e23 vs 4e23, you know “close” ;)
Now… get 80 people to remember a 12 char randoms.
No resets means no one has forgotten their pass phrase. I can not be just explaining passphrases to you now.
But also, spicing a pass phrase up is huge and not just a few bits more entropy. You go from 24 chars that are 5 word options to 24 char almost completely random again.
I trained people for 5 word pass phrases with no BS.
They were free to spice them up if they like. In 6 years I have had zero password reset requests.