I keep track of my passwords with a simple text file on my HDDs (which I occasionally copy to a flash drive). I also use browser's saved passwords/logins feature. I use a random generated password with a program I wrote that generates it randomly. Of course over time, I end up memorizing passwords. I have a few rather long completely random ones memorized, simply through repetition.
having it stored locally- and in plain-text files- seems risky but my logic is that unauthorized account access is usually a result of having a password and E-mail address compromised by one login or web page. For example, if say the CH password database was compromised it would be possible for whomever gets it to over time to "hack" the passwords and figure out what they are. At that point, they might simply try that same password on any accounts that are connected to CH; if you use the same password there, they get access to that as well, and maybe THAT links up to some other accounts and stuff. Having different passwords everywhere or at least as many different passwords as possible prevents that "chain" from progressing very far.
Compared to that I consider the risks of local compromise to be far less substantial (I don't recall dealing with any infections on my own computers in the past 10 years or so- I have seen weird executables running and freaked out only to find out it's a part of Intel's drivers or part of Windows (and is digitally signed and in the correct place). It would also require my system to not only be infected, but infected in such a way that it allows an actual person to go through my stuff, as the sort of malware in question typically just grabs data from well-known locations- like say browsers, or stuff like those bitcoin miner programs which save wallets or whatever that is all about, and fire it off to the malware author.
So far this approach I feel has been sort of "reinforced" in that I have had the first happen with about a half-dozen of my accounts across the web over the last decade or so, and was easily mitigated because the password that the "hackers" would have was used nowhere else.- I've even seen in the logs for my website that some of those compromised passwords were used to try to login to the root login, possibly by doing a big of research and discovering it linked with my E-mail address... so if I had used the same password there, I would have had a massive problem on my hands (Though I even have mitigations for that so I can fix it ASAP- I am sent an E-mail if an IP not on a specific list of IP addresses logs in to the root account. Other than one that I had sent to me during my own test, I've not had another yet!)
I've considered storing the "plain-text" information on, say, a Veracrypt volume, but the way I see it, the more layers I add, the more complicated the solution becomes and the more problematic it becomes in general- more stuff can corrupt, be lost, I can forget a password that I didn't write down or record for "security reasons" and lose all the others, etc.