More important then length: you shouldn't reuse that password anywhere else. Breaches happen when attackers compromise a password from one source and try it on a bunch of other systems.

yes but if you get keylogged while using a pw manager, you lose everything, as compared to losing one (or a few, depending on how egregious your passowrd reuse is)

If you have malware on your machine you already lose everything.

This is not true. If malware runs on your machine and there is no password manager storing 1400 passwords, the malware cannot pivot to 1400 destinations. However, if there is a password manager on the device that the malware gains access to and it would indeed store 1400 passwords in one place, then all 1400 assets are compromised at once.

I think that's what the previous commenter wanted to highlight.

In the end it's about managing risks, I would use different locations for storing passwords depending on value. Like really important ones go elsewhere and are not on the device I use everyday for browsing the Internet or reading email.

You'll presumably access those services eventually. And for the huge majority of people if they are memorizing a password for a infrequently used service means using a shitty password.

"Even though the malware has access to my email, which I presumably login to with frequency, and therefore can perform password resets for many services, I might notice it and reformat my machine before I login to some other important service" is not exactly a compelling threat model.

The comment didnt talk about memorizing passwords, it's more about storing password manager files offline for very valuable assets.

It would not be smart to store crypto currency private keys or recovery pass words on main computer for instance.

I guess the point is that the 1400-strong pw manager is the antithesis of defence in depth. If you get malware'd, better that they nab a few passwords than /all/ of the passwords.

Having unique passwords for every service, all of which are stored entirely in your brain, is almost certainly more secure than a password manager.

However, I'm inclined to believe this is virtually impossible, for all but a handful of exceptionally talented individuals.

So if realistic options are (A) access all services via one password which is only stored in your password manager, or (B) access all services via one password, which is also given out to every single service, I think it's clear which is safer.

Of course there are more options than that.

Pen and paper works well for the more important stuff, while you can come up with passwords that are easier to remember for all the silly online services that demand a login but don't really matter if they get compromised.

You can also 2FA your manager, minimizing that attack vector.

Which is what my company does with lastPass. (Although on my personal manager I don't use it)