Actually, the author is assuming that you will generate a password like `Password123!` for an obviously fly-by-night company and use a password manager for other websites of medium trust, the author states as much. My reading of his suggestion is that the memorized passwords are used for things like ssh or possibly logins on laptops/pcs. Some people have a good instinct for such things.

This is quite reasonable.

- Useless passwords for useless websites that needlessly require accounts. - Autogenerated passwords for websites of infrequent use that you don't need to trust much. - Memorized passwords for logins of high importance that you need to trust.

Since we only have so much capacity to memorize a password, the idea of reusing a password for the few high importance logins you have can be quite reasonable.

I'm just asking myself, why not use the Password generator + manager always if you have it installed either way. I've also used some of my digit-only 8-char passwords for some websites where I'm just indifferent about people logging into my account, but usually I just use the PW manager. It take maybe 1-2 more clicks, but more importantly, it saves me from the website saying "ohhh noooo please add a special character", and then "ohhhh sorry but theres no upper case character", blah blah.

By always using the PW manager I have a clear and standard route of registering accounts that is not a lot more work, is way more safe by default, and also can save time if at some point in 2 years you want to log in again, because of some random event. Sure, email reset would be possible, but that takes time again.

Another counter-argument against the article in general, at least in my opinion: while 2FA adds a time consuming step to the login, it happens rarely. I use a lot of services and usually always enable 2FA if it has even a single bit of personal or critical data. But as soon as I'm logged in, the access tokens or refresh tokens are valid for such a long time that I rarely have to do the 2FA challenge again.

I use a laptop, desktop PC, phone, and 2 tablets at home. Another PC and laptop and tablet when I visit my parents. Not all of them are mine, and it is _very_ annoying to have to login to a website on them. You have to go through the unlock flow on your own device (long and complicated password) to access the password, and then copy the site-specific password (usually long and complicated) to the new device.

It is a giant pain. I can understand why people wouldn't want to go through it.

Also, which password manager I should use anyway?

As far as I can tell, there are SaaS ones, broken ones, no longer maintained ones, and the ones that don't work on multiple platforms. There's not one password manager I've heard of that didn't exhibit one or more of the above "features".

"Perfect is the enemy of good", but the effort around making informed choice makes not using password managers seem better.

KeepassXC is FOSS, runs locally, is actively maintained, and is multi-platform.

https://keepassxc.org/

I've used it for years with no complaints, it's wonderful.

I use proton pass (SAAS). I just figure I should be paying for core internet services like email, storage, passwords, calendars, etc. so that ideally my interests are aligned with my provider. I use the services on windows, android and linux regularly. So I can confirm that proton pass, email and vpn all work on those three operating systems. I cannot imagine they wouldn't work on MacOS.

Yes, you pay, but I see that as acceptable and expected for the service offered.

> It take maybe 1-2 more clicks

1-2 clicks here, a couple there, and a click heavy UI. Welcome to the clickodrome, where your patience is tested to its limits.

Why do people click on everything without reading? Because you trained them to.

That makes the questionable assumption you’ll always be accounting for all attack vectors someone might come up with on services that you don’t think of as dangerous. It only takes a single, contrived way to daisy-chain a way into another system using that innocuous messaging platform you signed up for eight years ago that can now be coerced to send spoofed emails in your name.

A password manager with randomly generated passwords and 2FA is the only sane response to millions of automated attacks.

You aren't going to use a password manager to access your password manager is basically the point I was getting at. So you are always going to have some access managed via passwords or biometrics if that is available to you (finger print readers are instead unreliable for me). The fundamental access to password management isn't going to be managed by a password manager.