Unique randomly generated keys of the same length are a lot more secure, but the argument for diceware-style word generators is that they are more memorable.
The problem that I have with this argument is that the claim just doesn't pass the smell test. Proponents of this method really memorize all their more-memorable passwords without reuse? That's just not credible for the average Internet user. My own password manager has hundreds of accounts.
Some people try to split the difference and reuse a password for "unimportant" accounts while creating unique memorable passwords for important accounts, but I still find this pretty questionable. I have still probably a hundred user accounts that have access to my credit card information for example, and the ones that don't I may decide to enter that information later. And even if some users have a lot fewer "important" accounts than me and can memorize their important passwords, they're still making a big security compromise with accounts that probably have more social engineering value than the users realize.
So you have to either use a password manager or do a lot of password reuse, and one of those options is VERY insecure. So you use a password manager to collect all your correct horse battery staples. But at that point... just use long randomly generated keys for everything.
There are a very few narrow use cases where I think the diceware approach makes sense. He gives the example of smart TVs with clunky screen keyboards and no password manager integration. (Personally I suck it up and spend 5 minutes entering my passwords before I can start using the service. It's a pain point but a rare one, but I'd understand someone avoiding it.) And of course your password manager itself will need a memorable password.
But saying this is the "Best possible way to come up with a password" just doesn't hold any water.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Unique randomly generated keys of the same length are a lot more secure, but the argument for diceware-style word generators is that they are more memorable.
The problem that I have with this argument is that the claim just doesn't pass the smell test. Proponents of this method really memorize all their more-memorable passwords without reuse? That's just not credible for the average Internet user. My own password manager has hundreds of accounts.
Some people try to split the difference and reuse a password for "unimportant" accounts while creating unique memorable passwords for important accounts, but I still find this pretty questionable. I have still probably a hundred user accounts that have access to my credit card information for example, and the ones that don't I may decide to enter that information later. And even if some users have a lot fewer "important" accounts than me and can memorize their important passwords, they're still making a big security compromise with accounts that probably have more social engineering value than the users realize.
So you have to either use a password manager or do a lot of password reuse, and one of those options is VERY insecure. So you use a password manager to collect all your correct horse battery staples. But at that point... just use long randomly generated keys for everything.
There are a very few narrow use cases where I think the diceware approach makes sense. He gives the example of smart TVs with clunky screen keyboards and no password manager integration. (Personally I suck it up and spend 5 minutes entering my passwords before I can start using the service. It's a pain point but a rare one, but I'd understand someone avoiding it.) And of course your password manager itself will need a memorable password.
But saying this is the "Best possible way to come up with a password" just doesn't hold any water.