Authentication: Something One Knows

A possible solution to the above tradeoff it to use passphrases, which are a sequence of usually 3 or more English words that are used instead of a password. For instance: "unelected-obvious-elbow-disaster-vegan".

A passphrase will be at least as strong as a password only when the words that build up the passphrase are chosen randomly and independent of one another. [That means that "red-hot-chili-peppers" or "i-love-new-york" aren't strong enough.]

When a passphrase's words are random enough, the passphrase is considered strong enough AND the user only needs to remember a few words (3 to 5 on average,) instead of remembering more than 10 random characters of a traditional password, which eliminates the tradeoff.

The US National Institute of Standards and Technology (NIST) in its publication on Digital Identity Guidelines encourages the use of strong and long enough passphrases as a substition to using passwords. A summary of this publication can be found here.