That is a very good point! You'd have to be careful to craft the messaging so that it doesn't imply you can help troubleshoot the password manager.

But something simple could work. Already you usually have a note under a password field, "Must contain at least 8 characters and at least one special character" or something to that effect. It could also have some note about "We suggest a randomly generated password from your password manager."

I'm not building this out so I don't need every hole poked in the idea, just seems like it could work.

If someone is going to do this, 'At least one special character' etc. is not the way to do it. According to OWASP guidelines, a secure password must enforce a minimum length but not any other specific criteria, because they actually end up reducing password strength. Instead, the best option is to add a password strength indicator below the password entry field, to encourage the user to create a strong password. The help text can also mention using a password manager but it's difficult to do in a good way.

One of my pet peeves is when rules counteract the purpose they are supposed to serve, usually because of incompetence. Two years ago, I worked for a few months for a company where time reporting was accessed through a specific web page.

They required the password to be changed monthly, have at least 10 characters, at least one number and at least one special character. On top of that – they locked out password managers and pasting. "We need to make sure you are the one logging in and not a hacker that hacked your password manager" they explained when I asked.

Out of spite I went for "Password12!" the first month and "Password123!" the month after, at which point I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

> I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

Sounds like they were logging/storing passwords in plaintext.

Or offline cracking passwords using a wordlist.

Isn't it nice that hackers give up as soon as they realize they can't paste the password in?

And password managers (keepassxc anyways) have a pretty nifty auto-type feature that gets around that anyways.

Have you heard of the Cobra Effect?

You can tell them to write their password on a piece of paper in their drawer. Seriously.

Many home users are pretty good about protecting important scraps of paper. The government gives us plenty to hold onto. Even if they’re a grandma that doesn’t understand all this password manager mumbo jumbo, they can deal with a notebook and be better off than using the same password on every site.