This is a good place to advertise https://phrase.shop - a webapp I wrote that makes secure yet memorable passphrases.

It makes entropy requirements explicit, and you can even roll your own dice to supply the required entropy to generate your passphrase.

Try it, it's fun!

"That's another reason to use an internal DNS server which queries an upstream DOH server."

Even better, spin up a little VM or VPS somewhere in the cloud, install 'unbound' as a recursive resolver and point it to your nextdns.io account/address.

Let's unpack this ... backwards ...

DNS servers out on the Internet are queried by nextdns, which presumably has no PII from you other than your CC number[1] and zip code.

Nextdns receives nothing but queries from some random VPS/EC2/VM IP. Again, presumably a provider that knows (almost) nothing about you.

Your ISP sees nothing ... just encrypted DNS traffic.

It's win, win, win.

You see no ads, since nextcloud.io acts like a pihole and strips/blocks all of the malicious hostname lookups.

[1] Remember, only AMEX verifies cardholder FIRST LAST. Use your VISA/MC. I think my first/last is Nextdns User or whatever ... YMMV if a merchant is enrolled in that weird "verified by visa" service ...