Another great write up @arhag! Thank you for raising awareness about these issues. I just published an article about the need for a password manager and linked back to this post in a comment.

I agree with much of what you said here, but I also look at it in terms of risk analysis and difficulty for the hacker. Example:

A determined thief is walking through a parking lot and sees a Lamborghini and a Ferrari in a dark, abandoned corner with no cameras around. The Lamborghini has The Club installed, clearly visible, and attached to the steering wheel. There's also a LoJack sticker on the window. In that situation, the Ferrari is getting jacked.

Raising the bar, even with just a generated password via a password manager, is a great step forward. When it comes to targeted attacks, few individuals are ever truly safe. When it comes to general security, the lowest hanging, profitable fruit will be exploited first. I'm a big fan of 2FA and use it for anything and everything for my business that supports it (it's actually part of our policies as a PCI compliant service). That said, every day users may see it as too much just to upvote or comment. For transferring funds? Yes, I think it should be there. For everything else, well, it comes back to risk, reward, and difficulty.

Thanks again for thinking through important improvements to protect us all.