You use the "passphrase" thing in a system that silently ignores the extra characters (see below for "brokerage and banking company Charles Schwab" which does just that), and "wonderful undefeated password ftw" becomes "wonderful" (trivially cracked with a dictionary attack). Pwned.
Or you get your way, and, as a naive user, use a common passphrase, included in more involved attacks. Like "rage against the machine", "let me in", "my secret password", "empire strikes back", etc. Pwned.
Or you end up with 30 passphrases in 30 different systems. Or, since a lot of them don't allow long password, you end with a mix with passphrases and short passwords.
Might as well have used a password management app with cryptic generated passwords all along.
You use the "passphrase" thing in a system that silently ignores the extra characters (see below for "brokerage and banking company Charles Schwab" which does just that), and "wonderful undefeated password ftw" becomes "wonderful" (trivially cracked with a dictionary attack). Pwned.
Or you get your way, and, as a naive user, use a common passphrase, included in more involved attacks. Like "rage against the machine", "let me in", "my secret password", "empire strikes back", etc. Pwned.
Or you end up with 30 passphrases in 30 different systems. Or, since a lot of them don't allow long password, you end with a mix with passphrases and short passwords.
Might as well have used a password management app with cryptic generated passwords all along.