This is what bothers me about stupid password requirements that create massive user friction because we'll never remember the password. Passwords aren't guessed or brute forced 99% of the time. They are stolen or phished or access is gained in another manner.
You’re right that passwords aren’t BFd often and that phishing is by far the easiest way.
Regarding other methods: passwords are however, guessed, or stolen. If a hacker can grab the app databases store of passwords, they can preform offline cracking and quickly start getting into accounts that have matching hashes to commonly used passwords. All it takes is a few accounts and you can usually pivot around from there to get some more privileged access.
Wonder if you could download a 'hash' or encrypted version of your password and then websites as for that file instead? Then you can just direct it to it. I have no clue about how this would work just brainstorming.
