I am evaluating security benefits of requiring employees (in enterprise context) to use multiple passwords (or passphrases) vs single strong randomly generated passphrase (minimum of 8 words) when paired with FIDO U2F (using YubiKey).
My gut feeling is that the more passwords we ask employees to create (and memorize), the weaker they tend to be, especially when enforcing regular password rotations.
I would assume many will likely write them on a piece of paper resulting is increased opsec attack surface.
Are there significant security benefits to using difference passwords (or passphrases) to unlock computer vs unlock password manager for example?
My understanding is that both are subject to same keylogger exploits.
Would love to read you guys on this!