Password managers are flawed by design. A master password grants access to all other passwords and creates a single point of failure. I also advise using separate email addresses to avoid having an additional single point of failure.
Have one email primarily for social interaction and create new emails when creating new accounts on new websites with new passwords.
I'll stick with using my own head. Even if that means I'm sending a password recovery request at least once a month from forgetting my passwords and then playing "Guess the Email that was just sent to" for the next 15 minutes.
Chances are if I forget my login, the site wasn't very important to me anyway and it's one less place I'll visit.
You're worried about the password for a website, so you create a new email account to handle its password recoveries. Now you have 2 passwords to worry about.
In cryptography, a single point of failure is what you want, because you can concentrate entropy at that point. Take 5 of the best passwords you can remember; concatenate them and use that as your master password. A 40+ character password from the full set of symbols will not be guessed anytime soon, even for astronomical values of "soon."
This is a net win because with a password manager, ALL your passwords can be 40+ characters if you want; you only have to remember one of those. Plus you can reduce the chance of needing to use email reset (which is itself incredibly insecure) to near zero.
A single point of failure means if they gain access to one account they have access to ALL of your accounts. For example, if someone breaks into your email and you use that email for all of your accounts (banking, amazon, facebook, etc.) they can use email recovery to gain access to ALL of your accounts.
If someone gains access to one of my accounts, every single other account is still secure because it uses an entirely different email & password that has no relation to any other email or password.
> If someone gains access to one of my accounts, every single other account is still secure
All of your accounts are insecure from the start because a) you use passwords easy enough for you to remember, and b) you rely on email reset, which travels the public Internet in plain text.
Try checking your RCPT header next time. Create a throwaway Yahoo account and change the password. You'll find it's sent with 128 bit encryption over TLS. If using a Gmail account to recover, Gmail defaults to HTTPS. You'll find you're secure every step of the way. To call email insecure is to be rather outdated with advances in the past 4-5 years.
Furthermore, nice assumption under 'a'. Mnemonics are a powerful learning device for memorization, I advise you look into them. The human memory is a powerful thing and committing several randomly generated password consisting of 20-50 characters it not "impossible".
I do not remember my passwords. I remember mnemonics which help me remember my passwords. It's not entirely foolproof but it is far more secure than a single-failure-point system.
Your password reset email might or might not travel over SMTPS. As an end user you have no way of knowing in advance or forcing its use, so it's not very trustworthy.
I have no doubt you can memorize several very strong passwords, but there is a limit to how much randomness anyone can memorize. I've got over 100 passwords in my manager, counting both personal and professional accounts I need to keep track of.
Have one email primarily for social interaction and create new emails when creating new accounts on new websites with new passwords.
I'll stick with using my own head. Even if that means I'm sending a password recovery request at least once a month from forgetting my passwords and then playing "Guess the Email that was just sent to" for the next 15 minutes.
Chances are if I forget my login, the site wasn't very important to me anyway and it's one less place I'll visit.