> you have to fight your own KDF to discover that last word. You don't want that barrier.
You pretty much want it. Why would you make your password easy to brute force so that you can recover it in case you forget it? This makes no sense.
A 6 word phrase reaches your 64 bits target (on the GP's 2-48 word dictionary). It is still easier to remember than a base64 dump of a 64 bits random number. I still fail to see anything wrong with passphrases.
8 words is enough without a KDF. If you know 7 of the 8 words and there is a KDF, you might not be able to figure out which word is wrong or missing. But if there is no KDF you may be able to forget up to even 3 words.
Being able to brute Force your own password is a good thing if you can at least depend on knowing most of it.
You pretty much want it. Why would you make your password easy to brute force so that you can recover it in case you forget it? This makes no sense.
A 6 word phrase reaches your 64 bits target (on the GP's 2-48 word dictionary). It is still easier to remember than a base64 dump of a 64 bits random number. I still fail to see anything wrong with passphrases.