That's why keepass is really useful since you aren't ever typing in the password.. its generated and then copied to the clipboard.. That clipboard is then wiped after X seconds.

So then you know that you have been rooted => If that fails to resolve it.

Reduce the number of vectors to know what you have to change asap. in this scenario you don't want to be guessing about how they did it.

The randomised gibberish just means you can rule out certain things. I can agree on part of what your saying but a string high entropy password, makes it harder to brute..

Many services don't really do that whole retries thing properly. So make it take as long as possible.

If you don't use a random gibberish your password can be cracked on any consumer device in a surprisingly short amount of time...

This way you can then focus on that a session token is probably how they got in.. It's the most common vector these days...