[Fnoord]

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

With a password manager such as Lastpass or 1Password you only need one very strong password you as human can remember. The passwords it manages don't need to be human-rememberable. They can have as high entropy as allowed.

> Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

2FA of the strong password plus physical OTP (like YubiKey) with one backup key is more than suffice. Sure, its not 3 letter agency proof. They can easily break in your house and steal your backup key temporarily, whilst recording you typing in your password, or catching you on the go. But against most criminals (a much more common vector for the general public) this is going to work just fine.