I’d counter that you can in fact memorize ~arbitrarily many good passwords if you:
Use a procedure that generates passwords that are high-entropy but memorable.
A memorability-enhancing improvement on the common “generate N random words” is “generate N random words, then add more words until the passphrase is grammatically correct”. (Important: don’t rearrange or change the initial random words in any way!)
E. g., “lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”.
This doesn’t reduce entropy, since this is at worst an injective approximately deterministic function of the initial string.[1] But, for me at least, it makes it significantly easier to recall the password (since that makes it “roll off the tongue”).
Use spaced repetition on them. Like, literally put “recall the password for %website%” in an Anki deck. (Obviously don’t put the actual password there! Just create a prompt to periodically remind yourself of it.)
I’m not actually doing that for all my passwords, only for a dozen to the more important stuff.[2] But I expect this scales pretty well.
Well, technically, this is only approximately injective: the worst case is that adding words to two random sequences would map them to the same phrase. E. g.:
“lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”
“lamp naval watch TV” → “the lamp allows the naval sunset to watch TV”
But I posit that this would never happen in practice.
I’d counter that you can in fact memorize ~arbitrarily many good passwords if you:
Use a procedure that generates passwords that are high-entropy but memorable.
A memorability-enhancing improvement on the common “generate N random words” is “generate N random words, then add more words until the passphrase is grammatically correct”. (Important: don’t rearrange or change the initial random words in any way!)
E. g., “lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”.
This doesn’t reduce entropy, since this is at worst an injective approximately deterministic function of the initial string.[1] But, for me at least, it makes it significantly easier to recall the password (since that makes it “roll off the tongue”).
Use spaced repetition on them. Like, literally put “recall the password for %website%” in an Anki deck. (Obviously don’t put the actual password there! Just create a prompt to periodically remind yourself of it.)
I’m not actually doing that for all my passwords, only for a dozen to the more important stuff.[2] But I expect this scales pretty well.
Well, technically, this is only approximately injective: the worst case is that adding words to two random sequences would map them to the same phrase. E. g.:
“lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”
“lamp naval watch TV” → “the lamp allows the naval sunset to watch TV”
But I posit that this would never happen in practice.
I also use KeePass for the rest, sync’d through ProtonDrive. The fewer cloud services you have to trust, the better.