You could just tell users to write down their unique passwords physically and store them somewhere safe instead of reusing the same password, but that wouldn't fit the narrative of being able to sell services for password management and no doubt another thing the "security" community seems to be highly against.
I agree it's 100% stupid --- "all your eggs in one basket" is exactly the phrase that comes to mind for me too. Centralisation makes for one massive point of failure. If everyone stored passwords in their head or offline, it'd already make it much harder for attackers but there's no recurring $$$ for services in helping people do that. If people can be convinced to believe fake news, what other irrationalities can they be persuaded to believe? It's all just the power of marketing.
At the scale of present-day secured-systems use, this becomes fairly cumbersome quickly.
The typical person, as long ago as 2015, had around (and possibly over) 100 accounts. I'm seeing people referring to many hundreds managed by LastPass or other password-management systems.
Using, say, a paper-based system whether in a bound journal or a set of index or Rolodex cards, a 500-account archive would take up most of a journal, or a pretty hefty chunk of cards, and that archive itself would require physical security (though at least data exfiltration would be slower than from a digital archive). It's not the sort of thing you could easily carry around with you, or access from multiple locations, should you need to do so.
In corporate use, the problem is compounded by:
- Multiple people requiring access to systems.
- Both shared-account and multi-account systems (e.g., a shared root to servers, master DBA account, or embedded / appliance devices with a single account).
- Multi-office (or remote / home office) access.
- Multi-device access (as in people are accessing systems from multiple devices).
This doesn't necessarily mean that a third-party service is your best or only option, but it strongly tends toward a managed third-party system being convenient where "convenient" means "our business which lacks a true CISO role would be dead in the water without it".
Mind: I'm not defending LastPass here, and I don't use it. The solutions I've seen in the past which have impressed me most were based on managed SSH keys with SSH access to critical systems, and the bare minimum of shared accounts.
I'd also like to see:
1) Far fewer authenticated services where that authentication is not necessary. For the most part, if I can avoid creating a new account, I do. (My circumstances leave me considerable latitude that many people wouldn't have, in this regard.) Systems based on asserted identity through PGP seem to me one option (e.g., rather than logging in and posting content, you'd post PGP-signed content, which the remote system would vet. Similarly, reading private content would be encrypted against your keys. This doesn't address all account-based interactions, but it does cover a large bit of landscape.
2) Physical-token based security particularly based on NFC or Yubikey-type devices. Keep in mind that an earlier widely-used technology, RSA keyfobs which would generate one-time PINs as a 2FA, turned out to have a nasty vuln some years back.
But fewer accounts, PKI-based auth, and physical 2FA ... seem increasingly necessary changes.
As numerous others apparently do: I use a local, encrypted, password keystore that is not managed by a third-party service.
(And don't even get me started on third-party data privacy doctrines.)
I agree it's 100% stupid --- "all your eggs in one basket" is exactly the phrase that comes to mind for me too. Centralisation makes for one massive point of failure. If everyone stored passwords in their head or offline, it'd already make it much harder for attackers but there's no recurring $$$ for services in helping people do that. If people can be convinced to believe fake news, what other irrationalities can they be persuaded to believe? It's all just the power of marketing.