# Password reuse and phishing.

Password reuse: If people are actually supposed to remember their password, they will reuse the same password across multiple sites. One of them gets hacked, and then the passwords get used to break into other sites.

Phishing: People make mistakes. If you’re used to constantly enter your password manually, you will, sooner or later, enter it on a fake page. Most people will not fall for it most of the time, but all it takes is one person falling for it one time. With a password manager, the password only gets autofilled on the real page, because computers are better than humans at *always* making sure the domain is *exactly* the same.

Also, if the attacker is in a position to copy the password manager off your computer, you’ve already lost. They have complete control over your computer, can steal your passwords as you type them, and even better, they can (and will!) just steal your login cookies after you logged in to bypass any fancy 2FA and most risk detection algorithms.

(On password reuse: Yes, sites are supposed to store passwords hashed, but just like the site can check if your password is correct when you visit the site, the attacker can try passwords against the stolen data until they find yours. This doesn’t work on strong passwords but few people use passwords strong enough to withstand such an offline brute-force attack.)