Password managers (whether it's Lastpass or your browser's built-in password store) also protect against phishing since they tie passwords to domain names.

I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.

"Password manager" used to mean a program that runs locally on your computer. At some point people started making it into a SaaS, because that's more profitable.

I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.

The article is about a marketing data breach, not passwords.

> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

It's not just about long vs. short passwords. IMO the greatest benefit of having a password manager -- whether it's a bloated Electron app or just a text file on your computer -- is that it enables you to juggle hundreds of different passwords, randomly generated for each site. It's the best way we know of to limit the blast radius when (not if!) some of those sites inevitably get hacked.

We need a bitcoin hardware wallet kind of password manager, where the actual passwords are stored on a hardware security key. When you click on the computer on the password you want to use, the hardware security key shows it's name on it's screen, and asks you to press a button on it to confirm that you want to use it.

For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)