Everything is a tradeoff - but the basic balance is very strongly in favor of password managers:

1. without a password manager that is shared on all your devices, you WILL re-use passwords out of frustration. 2. without a password manager, if you do any sort of regular sharing passwords with a engineering team, friends & family, you'll resort to pretty insecure channels. 3. true E2E encryption, while still providing some surface area, has proven in the field through multiple pretty bad breaches[1], that it's a security model that holds up under real-world circumstances.

On the flip side, you are right: you are one compromised browser extension / binary away from having your local vault decrypted, and ALL your passwords compromised. But think about this: if someone has this much local access, chances are they can install a keylogger anyway, or read your clipboard, so the real difference is you've conveniently pre-loaded all your sensitive information in one go for the bad actor.

[1]For example: https://blog.lastpass.com/2022/12/notice-of-recent-security-...

With a keylogger, you lose passwords you typed in since the keylogger was installed, but that is rarely all of your passwords.

Most of these managers support some form of 2fa. I use a yubikey with mine such that if my master password is compromised someone would still need to obtain my security key. You can enroll multiple and keep one in a safe and one or more on your person. It's not perfect, but it prevents the vast majority of huge dragnet style malware attacks and a lot of the targeted ones until you get to the point where someone is trying to hunt you down on the street.

This still leaves a case where someone manages to get the final key out of memory but you're pretty hosed at that point anyway. I'd prefer a system where the yubikey itself is doing the final credential decryption instead of the CPU, unfortunately most people aren't that paranoid though.

Absolutely agree - that's why I said "so the real difference is you've conveniently pre-loaded all your sensitive information in one go for the bad actor."

The average person usually does the same but without encryption or strong passwords.

I’ll stick to passwords that are impossible to guess and an encrypted vault with multifactor authentication.

They make it easy to have strong passwords and sync across devices.

You could use a local vault and sync yourself, use a piece of paper in a safe, or use your brain to store them.

All of these come with tradeoffs and their own risks. Pick your poison.

You can use password vaults without creating a single point of failure by enabling 2FA for the accounts in the vault, without storing the keys there. Of course, it would still be bad if the vault was compromised, but it would be unlikely that anyone could access those accounts without accessing your 2FA.

Is there is a good solution/mitigation to sharing passwords with 2FA's in vault?

That's because it is a SPOF. However, a password manager seems to me the best compromise along the security / convenience axes.

I memorise good passwords for a handful of my most critical stuff (and have MFA). They don't go in my password manager.

If my password manager gets compromised then I probably could lose some cash, maybe get embarrassed by being impersonated on social media - it could get very inconvenient but not catastrophic.

PW managers are SPOF that typically replace a different, worse SPOF: humans trying to remember all of the passwords.

The way I look at it is, password vault is a single point of failure with a very VERY tiny attack surface that attacker will need to directly target you with a sniper rifle to actually hit you (assuming you are not using things like Lastpass. I personally use Keepass and synchronize the local vault across devices using Syncthing). Suffice to say, unless your last name is Snowden, it should not be a concern to you.

Comparing to the common way of "managing" password (i.e. reusing one password everywhere), it is still a single point of failure. The difference is the attack surface balloons up in proportion to the number of website you sign up to. And just like a balloon, all it need is one poke, one website storing your password in plaintext to blow it all up.

> Suffice to say, unless your last name is Snowden, it should not be a concern to you.

I wouldn't be so sure about that. People store banking/payment credentials in them, so there is a large incentive to mount a scalable attack against an even moderately popular password manager. Crypto wallets are a popular target too for the same reason (although the risk is even more immediate there).

How are you going to "mount a scalable attack" against a local-only password manager?

Malware targeting unlocked local password managers would be one option.

In that case aren't you already hosed because the same malware can steal all your login sessions?

no because I'm not logged into all of my accounts at once but if they can open the PW database they can

Without using a vault, people end up re-using passwords or using weak passwords, which is IMO worse.

Before password managers people used the same password on every site. Vaults being a SPOF is true but not really relevant. They're still an improvement over what people did before.

I don't think anybody is arguing that password managers are the be-all and end-all of secure user authentication.

But what would you use instead for services that support only password authentication? And even for services with 2FA: If one of the factors is a password, where do you store it?

If done correctly it works. correctly being the operative word.