[lilei]

You are largely correct.

Passwords operate under the principle "something you know". (Unfortunately operating under this principle on the Internet is quite hard, but that's a different story). When you save passwords somewhere it's no longer with the assumption of being just "something you know", but more "something you have". Of course passwords are even less apt as "something you have", because they are hard to secure, both in storage and in use.

Nothing has fundamentally changed. That people can't imagine why someone would want to keep passwords "something you know" is because they don't understand they theory behind passwords. A password manager might seem like a solution, but in reality what you're getting is the worst of both worlds. You don't get the security of "something you have", like a key that can be stored in hardware and verified with disclosing it to the host. Nor do you get the flexibility, at least not as a user, of "something you know".

I actually think it would be a great idea to block password managers and offer an alternative protocol for authentication. That way if they want to keep their users they would have to implement that protocol. Suddenly you would have quite a lot of users using something more secure.

(just a random text on the subject: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeopl...)