Good info. Threat modeling on these things is so complicated for normal people, esp in an era where people reuse passwords and most of those who don't use a centralized password manager to manage the passwords, or else write them down in a little paper book.