While the password recommendation stuff is changing (the US government updating it guidelines last year), it’s generally best practice to not share passwords which itself implies using a password manager anyway which makes the whole “long passphrase” vs “complex” password moot - just generate 32 lowercase random characters to make it easier to type or use the autogenerated password your password manager recommends.
replyThe long passphrase is more for the key that unlocks your password manager rather than the random passwords you use day to day.
There's also login passwords, and depending on how many systems you have to log into, these can be quite numerous. There are some attempts to address this with smartcards and FIDO tokens and so on, but it's not nearly universal yet. At least SSH keys are common for remote login nowadays, but you still need to log into some computer directly first.
replyI find it rare to have a huge number of machines to log into that aren't hooked up to a centralized login server. Still, nothing prevents you from having passwords for each individual machine that needs it. It's cumbersome to type it in but it works, which is why I recommended all lowercase (faster to type on a mobile device).
replyentropy is stronger than complexity. https://xkcd.com/936/
replyI wonder how many people have used Correct Horse Battery Staple as a password thanks to this comic
replyAh, just mix them up randomly: Staple Battery Correct Horse!
reply> Makes password "xkcd.com/936"
reply