Humans have flaws in their thinking which decreases randomness and make passwords more quessable, so purely on that I’d say generated are better. But, in both instances, length matters - is it within cracking range or in the range of not-likely-in-any-reasonable-timeframe. But there is also the problem of human limits of how long pws we are able to remember, and how many (it’s a human flaw and using same in many systems is bad practice). Luckily we have some tools, like password managers that both generate and remember for us, which help but in turn also create a bit of work and (if done badly) transfer risk (having all the keys to all your valuables in one place). The question, I think, is a bit theoretical as there are all this kind of other things to consider. In addition to: “maybe using just passwords isn’t the best method - at least in all cases”.
2 Likes