It is not very difficult to memorize random strings of arbitrary characters. I use a password manager to manage most of my accounts, but the important ones, like banks and email, I keep in my head. I use my password manager to generate a 15 character string of alpha+numeric+symbols. The symbols would kind of make it hard, except that in my head they are just upper-case numbers, mostly (shift-7, not ampersand). And in any case they are just positions on a keyboard (God help me if I need to enter one from my cell phone).

To memorize, just copy it into your favorite text editor, then type it 25 times in a row and delete. If you are paranoid, make sure you use a text editor that does not store temp files. Do not save this password anywhere. Set a timer and do it again an hour later, then again the next day. 10 minutes of your time and you have a password in your head. I can keep 10-20 of these at a time, maybe more since I seem to be able to type older ones from years ago.

I don't consider myself to have a great memory. I can barely remember lyrics to songs I've listened to dozens of times and it takes me hours and hours to memorize lines for plays. But I started doing this for passwords ten years ago and it is very reliable.

The thing is for your personal bank account a 15 character password is acceptable.

But for x many customer credit card details you're really looking for a much longer password that that. I'm talking 64 characters or more of pure random data.

You shouldn't be compromising for the convenience of being able to remember a password when it secures such critical data in my opinion.

Edit: I do agree though that your method is a very good way of remembering password.

At 15 characters and my character set ( [a-zA-Z0-9] and about 30 symbols) I have about 92 bits of entropy. Mean time to find a collision hash of my password is more than several years using 100% of computing power on the planet, much less do AES brute force. If memory is no issue - 256 bit passwords (usually displayed as 64 hex digits) are wonderful and there is no reason to stop short of that for pass keys that are stored electronically.

If I was responsible for this key I might increase from my normal 15 to 20 characters, giving me more than 120 bits of entropy, and I would expect to be safe from offline brute force for decades, and I could remember it.

It's trivial to memorize an entire sonnet. Actors and actresses memorize many times that amount. It's also trivial to write a sonnet. How many bits of entropy do you think a sonnet has?

Are you saying that you are happy to type in an entire sonnet when prompted for a password?

Being realistic, to expect someone to type in such a long password regardless of if they can remember it or not is clearly unreasonable.

For a consumer, perhaps, but for protecting thousands of individuals...

You can't assume this. It could be ridiculously strong, and, with a lot of use, has become remembered.

I'd argue that actually it's better to assume the worst case here, not what it potentially could be.

That and the fact that an offline attack can be run on this key is not promising.

You've assumed that everyone involved has the entire passphrase.

They were storing LISH passwords in the clear... Does it really sounds like they care enough to use some sort of multi-party brokered passphrase accountability system?

Not really, just more than one person as is implied in the grammar.

Edit: Theses "making an assumption" arguments are silly. It is good practice to assume the worst case, to assume the best in this situation is bad.

I'm impressed by your ability to extrapolate "in our heads" to mean whatever you wanted it to mean.