What websites should be doing is vigorously adopting good two-factor authentication. By which I do not mean rubbish SMS, smartphone or biometric nonsense. Something like a U2F dongle or NFC reader would do the trick. Password managers are making the best of a bad job in the meantime.