(tldr: use BitWarden and OnlyKey)
"If you can memorize and type your clever password, it's already broken".
People often don't hear me when I give them that warning, because it confuses and frightens them. Too many people think passwords like "secret42!EyeLoveMyWif3" are clever and secure. Such passwords very much are not. It might as well be "password", "secret", or no password at all.
On the other side, the approaches used by supersmart infosec aware programmers are not useful for normal people. Normal people cannot memorize 63 random strings on demand, they cannot run one-way hash functions in their heads, they will not use something like DiceWare, they will not run Python scripts on personal trusted Linux laptops, and they will not keep a GPG-encrypted text file of passwords in their Desktop folder, and they will not run a Tails instance on a liveUSB drive. If you are the kind of person who can do that, good for you, you are very smart, you win. Now try to teach a normie friend to use your system.
Something is needed that will work for ordinary people who just want to get work done. It has to be something that will work for small business owners, project managers, academics, professionals, nurses, doctors, corporate executives, lawyers, authors, activists, and even will work for journalists and politicians. And will work on public terminals in libraries and schools. And will work on employer-issued locked down laptops. And will work on school-issued edu ChromeBooks. And it needs to be something that can be taught to and used by kids about the time they turn 13. IMO, this should be in the public school curriculum.
Here is that "something", here is how I do login: I use the BitWarden password vault, and I have an OnlyKey device.
I login to a desktop like this: I plug in and unlock the OnlyKey using its PIN that I have memorized, then I type on the keyboard a short password prefix, and then I play the rest of the password out of the OnlyKey macro storage. That logs me into that desktop. Then I unlock the BitWarden browser plugin the same way.
If you search my physical desks, or my everydaycarry, you will find what looks like the the unlock PIN for the OnlyKey. If you grab it from me and try to use it, you will be sad. Bwa ha ha.
The passwords stored on the OnlyKey are for my logins into my personal Linux boxes, and are my iCloud, Microsoft, Bitwarden, and employer LDAP/AD passwords. They are 30+ truly random characters.
I use offsets into irrational numbers for the prefixes, but they could just be actually randomly generated with some dice. They are 4 to 6 digits in length. For example (I don't use this anymore), the prefixes were 100, 200, and 300 digits into the decimal expansion of Pi. This could be done without the prefix trick, and I don't include that part when teaching this to most people, and then the only thing they have to memorize is the PIN to their OnlyKey.
The OnlyKey device is also a U2F token, and BitWarden is a passkey provider and is a TOTP code generator. I have passkey turned on everywhere I can (so far Google, Github, Gitlab, and Amazon Retail). I have U2F enabled everywhere I can. I have OATH TOTP enabled everywhere I can. Every place I have U2F or TOTP enabled, I also generated the "get me back in" lockout codes, and have those stored in the notes field of the BitWarden entry for that account.
If I lose my OnlyKey and if I lose my phone, I do have other slower more annoying ways back into everything. The final fallback is I keep several copies of the BitWarden password in unmarked sealed envelopes hidden in my bookshelves and also at least two other trusted locations not at my house. My user story was "I lost my OnlyKey, and I lost my phone, and my house burned down. How do I get back in?".
Before any of my coworkers get all excited, there is some added complexity related to how I login to my work laptops and into intranet resources that I will not explain more deeply here, because my employer provides their own custom FIDO2 tokens, that have their own unlock PINs, that interface to a bespoke ZT system. I've memorized those work-related PINs.
If you are hardware pentest infosec person, yes you have ways to break this system. Good for you, you win. Not a class break.
In summary, and my immediate recommendation: your clever password is not good. Go buy an OnlyKey and use a good password vault such as BitWarden. Ordinary people who just want to get work done can be taught how to use them, and they will have a workable theory of operation for how it works, instead of just "trust me its magic".
Also, I am not getting any kickbacks from the OnlyKey company or from the BitWarden company for this advice. If anyone from OnlyKey or BitWarden wants to contact me, please do. I love your device and your service. You two should co-market each other.
