Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.
Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?
Define ‘strength’… against a dictionary attack? Brute force? Social engineering? ‘forgotten password/recovery questions’ hack? Stolen session cookie? Keyloggers?
If you’re not aware of the above, take some time to learn about each of those things and how good security practices counter each one.
The question is kind of like, ‘can you bake a cake?’ … probably yes, but it’s really missing a lot of essential information, like what kind of oven, what ingredients do you have, what’s your skill level, do you have arms, etc.
Any ‘passphrase’ can be secure or insecure, depending on the other surrounding factors. 2FA solves many security weaknesses.
This is the security industry’s dirty little secret that doesn’t get talked about in public enough.
All the excellent security on a site, including complex passwords, perfectly secure storage of a salted hash of that password, multifactor authentication using TOTP, etc., is completely moot if someone can just hit “I forgot my password” (or “I don’t have my second factor”) and bypass it by doing an email loop. You instead rely on the security of the user’s email account.
for email there is an easy solution. create a shared alias on addy, confirm it as your recovery email, forget the alias 👌