Definitely one of the first obvious seeming flaws with the idea (part of why I dropped it, it seems to inherently wrong to most) -- but a sufficiently long password (essentially, a "passphrase") with some randomness thrown in is enough (to at least force a brute-forcer to try the whole space, obviously not just dictionary words), when it comes to password strength.

Assuming that's true, the big problem with this approach is how to make sure people use long-enough and sufficiently random passphrases, and I think encouraging hints helps that. If I have a hint like "elementary school cheer w1th 0nes and second crush's name with how you feel" -- I think that's very hard for someone to either brute force, and hard for them to figure out without access to that information (and my own personal inner thoughts), and should be pretty long.

I still think that the safest place for passwords is inside your head (and a close second is a sufficiently physically secure sticky note). If you think I'm wrong please tell me, I'd love to hear why I'm wrong, I'm not a newcomer to the security space but am by no means an expert. Lastpass and Onepass have never been "breached" per say but a pessimistic view would suggest that it's only a matter of time.