Secret security isn't a common use case, as it has an uncommon but critical property - it's binary - either the credential is leaked / stolen or it isn't.
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"
People who study this for a living say that you’re wrong on balance. For example, it would be great if every changed their password every time they logged into every service they used. Forget TOTP for 2FA — let’s make one-time passwords for everything!
But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month.
In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this.
"In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this."
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?
If "convenient + good" isn't good enough and your credential is compromised, your solution fails completely, 0% score.
If "inconvenient + better" does prevent the compromise of your credential, then it is an absolute success, 100% score.
Prioritizing convenience over security while selecting your password manager is like prioritizing keyless entry over functioning brakes while shopping for a used car - it's clearly a stupid decision even from the perspective of a layperson.
I'll shed zero tears as I play the world's smallest violin when people who've made such decisions have their identity stolen, home forclosed, and savings drained because "muh convenience!"