The headache is that we have too many people demanding passwords, and some fools requiring them are careless with them - I think I may have other a thousand, certainly several hundred sites who have a password, far too many to be able to keep updated at frequent intervals as some security busybodies with their heads in the clouds and no sense of practicality require - I'd spend my life doing nothing else. For example, we've just seen Uber have to admit it's compromised data from hundreds of thousands of its drivers: sometimes I need to know that the site I'm working with has me securely identified, sometimes my need is less, yet they have a reasonable need, mostly it's simple BS. The identification protocol has two halves, the avatar and the password, and so we have two elements we can work with to constrain these sites.
I therefore have three different passwords on this first plane, correspondingly, not one: if, for example, someone with less than honest morals were to obtain a single password, he'd find it easy to hack my bank, however he won't because that's a different security need and therefore level. There is actually a fourth level. although it's less likely you'll need it, one where employers/the State have their specific needs - they tend towards the following, however, where you are identified by a Social Security number, for instance.
However, there is also a separate parameter to the paradigm, that of the avatar. I use a different one for my vanilla life than I use here. Not that I'm ashamed of either, however there are risks in areas of greater licentiousness, or more precisely licence, permissiveness, and I generally prefer to know that anyone who knows me as Tom in this context might not know my vanilla avatar. There may also be other domains where such pseudonym aliases are legal and/or justified.
One headache of using technical support for a plethora of passwords is what happens when the technology fails, as it eventually will, from simple wear and tear/entropy. A second one is where the security techno-geeks require disproprtionate password patterns - no, I'm not going to allow you to impose a password of mixed Sanskrit and Akkadian characters on me just because you think you can, I'll walk away instead, depriving you of one user tick-up. If you're such a nerd as to think otherwise, enjoy your life. Thankfully people here aren't that anally-retentive.
A further headache is that as data collection agencies become ever more intrusive into our lives, without the least authority other than the last vestiges to 1950s paternalistic authoritarianism, the risk of these passwords becoming compromised increases. They have their peers on the Dark Side, too, criminal intelligencers who, having noticed that an (entirely fictitious!) Henry Potter of Little Snoring uses the same avatars and passwords on several compromised sites, then goes on to try that whenever anything else of the said Henry Potter's comes up, for example trawled out of the sea of email data which is mostly utterly insecure. I wonder whether JK Rowling got her idea for the Boy Wizard from MASH's Surgical Wizard?
That then heads towards a scenario where simple imaginative passwords fail, and we have to revert to more fundamental data of who we are - fingerprints and retinal scans at a slightly deeper level. We don't want to have to go there, though, it's far preferable not to compromise that too.
