Simply use five random dictionary words as a password and you are fine. The browser will store then the password easy login.
Two-facor auth just adds to complexity, and that is a bad thing when it comes to secutiry. You want to be able to easily understand that a system is secure. The more complex a system is, the larger the likelyhood of a surprise "whoops, I overlooked that" somewhere down the road.
A great password won't protect you or your clients from keyloggers, writing the password on a post-it to stick to a monitor, shouting it across an office, emailing it to a friend's 'web genius' kid so he can fix that thing that's broken, and a dozen other password misadventures.
Two-factor auth is not just about rendering dictionary attacks ineffective.
How so? Assuming about 100,000 common words in the English language, with a five word phrase aren't you talking about 10000000000000000000000000 combinations for a dictionary attack to churn through? Even if you narrow it down to phrases that make grammatical sense (which certainly isn't a trivial thing to do algorithmically), you're still talking pretty astronomical numbers, and that doesn't account for the large increase in the corpus that would be needed for an attack that could include a name like "miffy" in its attempts.
But if the attacker knew with good probability that your passphrase is a valid sentence, they'd have ways to eliminate incorrect sentences, and so reduce the search space a bit (or a bit more, depending on how clever they are).
Have you ever used SwiftKey or Swype on Android? Vaguely the same principles apply here. It actually wouldn't be hard to generate passphrases where you try the most "predictable" phrases first. E.g. if you start your brute-forcing at "my cat" you would try "my cat likes" a long time before you tried "my cat algorithmically".
Also, 100,000 common words is a bit more than you would need. If people are plucking words from their heads, rather than rolling dice and picking from a list, you can assume a more limited corpus and still crack a lot of passwords.
Nobody starts brute forcing at "mycat." Even if they somehow knew that's how it started, that barely helps them. They don't know how many other words there are, or what the next one is. Simply because it is more likely to be "my cat likes" does not mean it is now feasible to crack. Without social engineering, that password is not crackable for all practical purposes and is far from a terrible password.
One problem is that WordPrss sites are often built by small web designers for clients with limited computer skills and very little patience for complex passwords, much less two-factor authentication.
For 2/3 of the WordPress sites I administer, I use a very long, complex admin password. The other site is for a group that wanted multiple admin accounts, but the people who use these accounts have a lot of trouble with complex passwords. After several emails telling me that "the website doesn't work" because the user had trouble with a long password with special characters, I gave up and switched it to an easy-to-remember password with just uppercase and lowercase letters.
Or just generate random 15+ character passwords for admin accounts. From the article it appears the concern is from brute forcing "admin" account passwords. Good luck bruting MT#r!}A1(hIQ4^pC*7`K.KGiL\&[A\k#TUC4R<R?
I dont think it's practical to rely on memory for passwords anymore. If it's a site you really couldnt give a damn about, then sure, as long as you're okay with whatever information you submit being potentially linked to that password and to any other information.
I just use a text file on my computers desktop and a usb thumb drive. I don't note what the password is for. So my Amazon password is something like dkwjRw#4camzR4%7hjfgdelsdshWE
Two-facor auth just adds to complexity, and that is a bad thing when it comes to secutiry. You want to be able to easily understand that a system is secure. The more complex a system is, the larger the likelyhood of a surprise "whoops, I overlooked that" somewhere down the road.