1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.
2. Reuse the same password on every site? One site gets hacked and now you're screwed.
3. Memorize a unique, long password for every site? Not feasible.
Third-party/commercial password managers are the best solution for most people, practically speaking.
I've never used password managers, partly because I don't trust them and partly because I've found an alternative that I feel is secure enough and more convenient. I split my passwords into two parts, one secure part that is memorized but reused and one weak part that is written down but not reused.
The main ways people are hacked are re-use of passwords and writing passwords down. If someone gets access to one of my passwords, trying it in other sites won't work. If someone finds the written parts of my passwords, that won't work either as they would need to know the secure part of the password that I memorize. I can even easily take the written part of my password with me if I want to use a password on a different computer.
The only issue with this technique would be if someone finds multiple passwords of mine, they might be able to figure out the scheme and brute force other passwords, but if someone already has multiple passwords of mine and is taking the time and effort to go after me individually then I figure I am probably screwed any which way.
The alternative to fully cloud-based solutions would be a local, open source kdbx client (Keepass, KepassXC, etc) with the password database situated on a cloud storage (Dropbox/Google Drive/etc). This way, one gets the best of both worlds.
This can be a nice compromise, but it's not without downsides. Personally, 99% of the authenticated software I use is in my browser, and the usability of an extension that has a little badge to tell me I have an account on this site and autofill capabilities is really tough to pass up. Further, because it's an extension, it can know what site I'm on, which all but eliminates my risk of falling prey to phishing attempts.
It is a hard one because the only computing/memory device you have with you at all times, requires no batteries and not connected to any networks (yet) and not vulnerable to probing/observation (yet) is your brain! But memory is too unreliable unless everyone trains for it.
Crypto keys are great but you can lose them and once shared they are keys to you kingdom.
Specific security devices are great but you need to remember to have them with you. They can get lost or broken so you need backups.
Google authentication is convenient but they can ban you. It is also a 3rd party to trust.
Passwords suck but might be the best of the worst. Advantages: password managers can be used to make password useless for other sites and people conceptually understand it.
1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.
2. Reuse the same password on every site? One site gets hacked and now you're screwed.
3. Memorize a unique, long password for every site? Not feasible.
Third-party/commercial password managers are the best solution for most people, practically speaking.