> 1) Aren't there people using generators like Diceware that don't do the password management part?
I'm not sure they're actually that common. Moreover, if someone is sophisticated enough to use a password generator I assume they have some sort of system for ensuring integrity.
Also, if you're worried about someone changing their password to something they don't know, simply force a relogin and have effective password reset mechanisms.
> 2) The industry's definition of "high security" is constantly changing.
Industry might be getting more serious about encouraging higher security passwords, but standards for high security passwords haven't really changed much. People are just becoming less tolerant of low-security ones.
In terms of estimating security, you can use something like https://github.com/dropbox/zxcvbn which does a pretty good job of evaluating entropy and resistance to brute force attacks. Ultimately, a password with sufficient entropy will be resistant to any brute force cracker.
I'm not sure they're actually that common. Moreover, if someone is sophisticated enough to use a password generator I assume they have some sort of system for ensuring integrity.
Also, if you're worried about someone changing their password to something they don't know, simply force a relogin and have effective password reset mechanisms.
> 2) The industry's definition of "high security" is constantly changing.
Industry might be getting more serious about encouraging higher security passwords, but standards for high security passwords haven't really changed much. People are just becoming less tolerant of low-security ones.
In terms of estimating security, you can use something like https://github.com/dropbox/zxcvbn which does a pretty good job of evaluating entropy and resistance to brute force attacks. Ultimately, a password with sufficient entropy will be resistant to any brute force cracker.