> For the average person password managers aren't an option
Why not?
Every major browser in its default configuration offers to remember your passwords, and some will even offer to sync them across all your devices.
The only thing that's missing is an offer to generate random passwords automatically, for which you currently need an add-on/extension. But even without that ability, the browser is already a pretty decent password manager.
On plenty of sites, Chrome/FF/IE/etc. will fail to recognize a user or password field. They'll often fail to recognize them at account creation. Sometimes you'll need multiple accounts on a single domain, which Chrome can't handle (for example). I could go on and on...
Browsers remember passwords as a mere convenience, when it happens to work. They are in no way "proper" password managers, which are encrypted with a master password, can be exported and backed up, handle multiple accounts, etc...
But since some of the best password managers are already open source, I wonder what's preventing browser vendors from integrating at least some of the functionality. A good password manager not only helps contain the damage of leaked passwords, but also does a very good job at protecting users from phishing attacks at similar-looking domains.
All the browsers have been pretty stagnant on this front for the last few years. I suspect they've been hoping that everyone will move to an SSO platform in which the browser vendors themselves have a vested interest (Mozilla Persona, Google account, Microsoft account).
Why not?
Every major browser in its default configuration offers to remember your passwords, and some will even offer to sync them across all your devices.
The only thing that's missing is an offer to generate random passwords automatically, for which you currently need an add-on/extension. But even without that ability, the browser is already a pretty decent password manager.