Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.
Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?
This is the security industry’s dirty little secret that doesn’t get talked about in public enough.
All the excellent security on a site, including complex passwords, perfectly secure storage of a salted hash of that password, multifactor authentication using TOTP, etc., is completely moot if someone can just hit “I forgot my password” (or “I don’t have my second factor”) and bypass it by doing an email loop. You instead rely on the security of the user’s email account.
for email there is an easy solution. create a shared alias on addy, confirm it as your recovery email, forget the alias 👌