[benb]

There's generally a reset procedure on most things you would log into.

Let's put it this way, the chances of your self generated password that you probably share on multiple sites getting hacked is way higher than the frequency things like the Apple iCloud passwords or Google password manager have been hacked, those two have never failed IIRC.

I use both of those two, so they'd both have to fail. The weakness there is there are two password managers that could be hacked and expose your passwords. The other weakness is I have to keep the two managers synced.

But again, the frequency of "Site X" turning out to not encrypt your password properly in it's DB and then Site X gets hacked is WAY higher than the frequency of the password managers being hacked. Nobody hires a bunch of security neophytes to build security systems, but many "Site X" places have zero security experts on staff. "Site X got hacked and didn't secure their passwords properly" is almost a daily thing.

Also passwords are going extinct anyway. I work in computer security. All of our important stuff is triple factor security. You need your RSA key, a password, AND a time based code from a security system. Of those 3 the password is the least useful, there is a lot of work going towards getting rid of passwords.

The thing with using the encryption keys instead of passwords is the private parts of encryption keys are never transmitted over the network. The site you are logging into only gets the public part of the key. Someone stealing the public key does not gain the ability to impersonate you.