MS Research: heretical views on re-using passwords & password managers

That research is full of invalid assumptions.

It assumes, for example, that users can differentiate between high-risk and low-risk sites. As sites often ask for additional information over time, users must then re-evaluate a site's level of risk. And given the permanent nature of collected data, and difficulty finding the total corpora of data a site has collected, this is no easy task. They make clear: "Far from optimal outcomes will result if accounts are grouped arbitrarily." Can anyone imagine users looking at their, say, 100 login records, for example, and assigning them to high or low risk groups, at all, or ever reliably and effectively?

It also assumes users have a built-in understanding of how collected data can be maliciously used.

In the second sentence of the abstract, it incorrectly posits the biased position that "passwords with no re-use gives users an impossible task as portfolio size grows."

They use some broken or flawed password management implementations and strategies as the basis for throwing the baby out with the bathwater. And build their thesis from that (invalid) position (users probably should not or will not use password management software).

They use unmeasured risk threats and promote them into measured, known risk values that should be avoided at all costs. Its almost like saying "a fire burned down my neighbors house (because he left his lit candle next to the Christmas tree), so we should not build any wood houses."

Their concluding remarks show how simple their suggested strategy is:

This suggests simple guidelines, such as: if Pi is similar across accounts, then optimal grouping will put high-value accounts in smaller (or singleton) groups, and low-value accounts in larger groups.