The greatest problem with passwords is the security of the system where they are used. Either figure out how to stop the theft of password hashes or make the hashes so secure that they can't be cracked when stolen. Unfortunately, the users don't want to be botherd with these details. As long as users want quick and easy access to online services, there will be a steady stream of articles like "Russian mafia steals billions of passwords". Again, the problem is that the users want online services for free or nearly free and easy. They fight password complexity requirements and end up finding passwords that pass the test but are still easy to guess. Super slow hashes would help but users would complain if it took 10 seconds to confirm passwords.
From The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes (2012):
Thanks, I recommend Table one from the pdf. I think my personal conclusions have matched the notion of having moats, walls and archers. Ultimately, I think you do need a limited number of strong passwords which you remember - I use Diceware and do not find this too onerous. Then a number of weaker schemes underneath this to do practical jobs (e.g. website access with LastPass with 2FA). I reckon the security questions for recovery on many sites are some of the biggest self-inflicted disasters in this space.