20 characters where the user attempts to be random is going to be much better than any common sentence.
Even 10 characters of attempted random is going to be better.
Maybe even 5, if they were going to use a song everyone knows.
Increasing the minimum size past a point doesn't help security, it just leads to people using low-entropy padding methods.
Whether a sentence is better than "no restriction", I'm not sure, but that's not a very fair comparison because you can't force them to use a sentence either.
I'd say what you should recommend is a series of words that don't make a sentence, but where they can remember a scenario.
Or you could have the computer generate random words and let them make a sentence out of them.
But don't use a preexisting sentence, or a tiny modification to one. It will be far weaker than it should.
Even 10 characters of attempted random is going to be better.
Maybe even 5, if they were going to use a song everyone knows.
Increasing the minimum size past a point doesn't help security, it just leads to people using low-entropy padding methods.
Whether a sentence is better than "no restriction", I'm not sure, but that's not a very fair comparison because you can't force them to use a sentence either.
I'd say what you should recommend is a series of words that don't make a sentence, but where they can remember a scenario.
Or you could have the computer generate random words and let them make a sentence out of them.
But don't use a preexisting sentence, or a tiny modification to one. It will be far weaker than it should.