I forgot my bitcoin password just last week. All I had to do was click on the "forgot password" link, answer the security questions, and set a new password. Like any other online account. So I guess I don't understand what all the fuss is about. Did he forget the answers to the security questions, too? He should be able to call customer service. They'll have him scan and e-mail a copy of his driver's license or something. There's always a way to recover your password.
On a website that has been coded for this function, yes. For a USB drive, I'm not so sure. Maybe that is a selling point for IronKey. Very difficult to recover a password.
Personally, I have more than 50 IDs, more than 50 passwords. And the passwords come in various forms sizes, patterns some 6 characters some only numbers some must have numbers & letters some must have min 1 upper case and 1 non number/letter WORST, passwords have to be changed and changed every few months and cannot be recycled I don't know how many security questions I had set. I don't know what security questions I had set. I don't think I know the answer to the security questions as the questions were mostly not set by me. damn scary. I'd better clean up my mess. Also, I'd better don't open a digital bank account.
I have several hundred accounts in various places, and what I do to manage them is In a strongly-encrypted file, backed up in multiple places, I store individual web sites and their security questions with strings of random characters to represent the user ids (or the actual user ids when appropriate), passwords and answers to security questions. For the actual user ids, passwords, and security question answers, I use a unique hash function roughly similar to the one in https://www.elitetrader.com/et/threads/malware-warning.349544/page-5#post-5193269 on the corresponding representations. Since the hash function has a unique, secret key, it also needs to be backed up to multiple places as a strongly-encrypted file. When the hashed data isn't quite good enough for the account (e.g., website requires a special character my hash function doesn't output), the strongly-encrypted file also stores the extra characters needed. When the hashed data is too complex for the website (e.g., required to be all numbers), the strongly-encrpyted file has small scripts to simplify the data (e.g., tr '[A-Za-z]' '[0-90-90-90-90-90-9]'). This reduces the number of passwords I have to actually remember to a small number and lets me have unique, strong passwords for every website I have an account with. To solve the issue of passwords required by my employer to be changed every 90 days or so, I retired. Before doing all this, my password management was more like: