[removed]

You can make one very good password with multi-factor authentication. Instead of making piles of bad passwords.

Because in reality most people are just making a notepad file with all their passwords in clear text. The company’s red team finds those all the time.

A password manager is miles better than the current practice. You can’t micro-manage people and every single file they have on their computer so you propose them a simple solution where they only need to remember one strong password for a program you can actually manage and implement security measures upon (encryption, 2FA, etc…)

Because password managers are installed on user machines which are not configured to be easily accessible from the greater Internet, unlike the places where you use these passwords which are.

A single point of failure that is very well guarded, encrypted/not stored unsafely on a 3rd party site, and maintained properly *can* be better than multiple easier points of failure that fail independently, partially because that last part isn’t always very true.

People often reuse passwords, use patterns in their passwords that are identifiable and exploitable when they *do* vary their passwords, and have emails and accounts that are the point of failure for many other passwords (get access to this specific one, and you can gain access to a number of others, kind of thing). What’s more, if you are not using a password manager, other less trusted site can allow people to gain access to these email/higher-tier accounts when you reuse passwords or password patterns between the two. If you use the same password between sites, no matter how strong or hard to brute force it is, you just need it to be leaked or mishandled *once* to be an open door.

On the flipside, a bunch of unique and strong passwords are cumbersome, and practically speaking, people resort to creating predictable patterns in their passwords to offload this burden somewhat, or literally writing them down somewhere, which is arguably much less safe than just using a single password to encrypt your other passwords, such as through a password manager.

Two-factor authentication is still huge in terms of safety, though.

Generally, because the idea of following good security practices on all of your passwords is pretty unrealistic. It would work if you randomized your passwords, they were unrelated to each other, followed rules about using strong passwords, and enabled 2FA on every single site.

The thing is, no one is going to go through all that. So the thinking is that one extremely safe password with all the best practices is better than having many poor passwords with any of them possibly being a point of failure if you duplicate login credentials.

But to your point, the downside is a single point of failure. You risk literally everything and if that ever gets breached, you’re entirely screwed. The bet is that that’s less likely to happen than for your assortment of weak passwords to cause a house of cards.

IMO, password managers are over-pushed as a magic bullet to all password problems, when, realistically, it’s not really that simple. You’re just changing from lots of small risks on lots of things vs going all in on one thing.

But it’s a lot easier to say “use a password manager” than something like “use unique passwords, come up with a system to remember them that wouldn’t make sense to anyone else” or “share a common password about sites you don’t care about, but use unique passwords to each account of value (email, banks, etc)”.

Because they provide a way to have hundreds of unique secure passwords. There is noway you remember all of them in your head. And the way the vast majority of hacks work is not that a hacker takes over your local pc and waits for you to put in your password into your password manager. Its either they hack a company and try the password email combination from that side on other websites this is prevented by a password manager by having unique passwords or hackers get you to put in your password on a scam site and use that password then again on other websites.

People without a password manager either A: reuse passwords or B: write them down somewhere.

A is worse than a password manager because if a hacker breaks into any one of those websites they now have your password for every other website. Instead of a single entry to get all of your credentials, they have multiple entries to get all of your credentials (well ok not all of them, but all of them which share that particular password).

B is worse than a password manager because it’s just an unencrypted password manager.

Because most people (read:all) have a finite amount of memory for passwords, so they end up having the same username(email)/password for everything, and most people passwords are very easy to crack via brute force. For example the password “HelloThere123!” would take a modern computer 16.07 seconds to crack by brute force.

So in the event of a data breach, all of their accounts are now out there.

A password manager however lets you remember one, very strong password and then the manager can remember the rest. E.g – “I Come From A Land Down Under” would take a modern computer 60 triilion years to crack by brute force. So as long as you don’t give it out and the password manger service you use doesn’t get breached, you are safe.

There are also password manager services that literally don’t store your password, so the risk of them being breached doesn’t exist.

I hope this helps.

A benefit that hasn’t been mentioned – it’s difficult to be phished with a password manager.

Let’s say I receive an email that directs me to paypa1.com, with a convincing replica of PayPal’s interface that prompts for credentials.

Without a password manager I would go ahead and type my username+password into the dodgy site without a second thought.

A password manager will prompt to fill credentials based on the domain being visited. It won’t recognise paypa1.com as matching any of the passwords in its database, so it won’t prompt to fill them in. Working around this requires me to manually find the site in my password manager (a red flag) and copy-paste the password in manually.