[yoble]

In my previous company we hired a startup that did security training, that recommanded everyone use a password manager. And one of their test was that they sent a fake phishing email to people (randomized over a couple of months so not everyone would get it the same day).

I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.

Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.

[baobabKoodaa]

The most important bit of information is missing from your post: was everyone using 2FA? If yes, then you make a relevant point.

[Dylan16807]

Even if no 2FA was involved at all, it's a good answer to the scenario you were posing.

I think plenty of people will have second thoughts when the password doesn't go.

[baobabKoodaa]

The comparison here is using 2FA with external device, or putting 2FA codes into a password manager.

Any kind of experiment that doesn't involve 2FA at all is not relevant for this comparison.

[Dylan16807]

The anecdote provides evidence for people that are initially fooled by a phishing attack but aren't fooled enough to manually copy-paste credentials when autofill doesn't work.

Your argument about 2FA depends on how many of those people there are.

Therefore the anecdote is quite relevant, indirectly.