Password re-use is the bigger issue.

No one can crack your super-strong multilingual password. But if a service accidentally leaks it, then it doesn't matter.

Credential Stuffing is how 23andMe were hacked. People reused password, they were leaked from another service, attackers tried them on a variety of sites until they hit the jackpot.

Unique passwords prevent that attack. Can't remember a thousand different passwords? Use a manager.

Don't want to use a manager? Switch on 2FA. Weak passwords and password reuse ceases to be a problem.

Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.

Plus many want your phone number or some random app by them on your phone for their 2FA (instead of e.g. TOTP that you contol), less secure because they now can leak your phone number or do something with an update to the app

BTW what's the sentiment on passkeys?

In my opinion passkeys, whilst solving the password related issues, introduce their own. The risk of losing access to your accounts is greater if you tie everything to one device and that's lost or stolen, and the "solution" to use more than one device is not a solution, or feasible for everyone. There's also the risk of vendor lock-in, which is definitely an aim of the big providers like Apple, Google and Microsoft; which is a bigger risk to those less tech savvy.

lol

>One of the passwords that I know by heart is a famous classic quote clumsily translated in a mix of French and Dutch. It is long, it can not be brute-forced because of its length and I am pretty sure it is not present in any of the rainbow tables. I never spell it out, let alone write it down, but it is in my muscle memory as I haven't changed it for years.

One keylogger and his super complex and secure password is ruined. with no 2FA to protect him.