Generally, because the idea of following good security practices on all of your passwords is pretty unrealistic. It would work if you randomized your passwords, they were unrelated to each other, followed rules about using strong passwords, and enabled 2FA on every single site.
The thing is, no one is going to go through all that. So the thinking is that one extremely safe password with all the best practices is better than having many poor passwords with any of them possibly being a point of failure if you duplicate login credentials.
But to your point, the downside is a single point of failure. You risk literally everything and if that ever gets breached, you’re entirely screwed. The bet is that that’s less likely to happen than for your assortment of weak passwords to cause a house of cards.
IMO, password managers are over-pushed as a magic bullet to all password problems, when, realistically, it’s not really that simple. You’re just changing from lots of small risks on lots of things vs going all in on one thing.
But it’s a lot easier to say “use a password manager” than something like “use unique passwords, come up with a system to remember them that wouldn’t make sense to anyone else” or “share a common password about sites you don’t care about, but use unique passwords to each account of value (email, banks, etc)”.
Latest Answers