To clarify on this: even the people who use gibberish as their password and don’t store it and rely on password resets via email are actually somewhat safe if their email is also highly safe. Maybe their password strategy for CRA implies they don’t take their email password security seriously either… but still, my point is just that “at least as secure as your email” can be an incredibly high bar if you do it right