Post-It notes are a safer option than password managers. And it's absolutely outrageous to say this: But not every single account you have needs a unique password. Just ones which can actually allow someone to impersonate you meaningfully, cost you money, or gather sensitive data about you.

Response to @palata because of rate-limiting: The problem is people tend not to only put unimportant accounts in their password managers. They also put their bank and email passwords in there, and to my true horror: People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!

> People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!

The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.

I think you'd be drastically better off not wasting effort with a strong/unique password on places you "don't want" MFA, in favor of using MFA, which is always better at defeating an attacker than any password.

The effort of using a strong/unique password is trivial. The effort of using MFA on my phone is not.

Well then at least those accounts that are "less important" are probably not worse off in a password manager than sharing one password, are they?

I do post-it notes and a couple of master passwords for things I don't care about, so I don't disagree. I need to make 2 points though. 1, enough 'non-sensitive' data can eventually become sensitive when taken as a whole, and 2 post-it notes are less secure if they are at a place of employment, think teachers.

Maybe the best option is one of those physical access password managers like KeePass

KeePass on something normally-offline like a thumb drive is probably a decent compromise where needed, but I'd still encourage people to keep their most sensitive passwords either undocumented or partially/incorrectly documented.

Where do you store your TOTP tokens, then? Post It note?

Definitely not where you store your passwords! In my case, since I don't store my passwords on my phone, I have my TOTP app there, and then for backup, I print the QR codes when I set up TOTP and secure them in the physical world. Restoring my 2FA setup to a new phone is easy: I just scan through the stack of paper!