> For any locked door, you need more than one key and they should be independent. If you have independence, they serve as backups for each other.
For any locked door, you need a key for day-to-day use; beyond that, you need to know a way to contact a locksmith or how to use a crowbar yourself, and have a way to eventually prove you're authorized to access what's behind those doors.
All those real-world analogies in crypto tend to miss one critical thing: in real world, things break, and people make mistakes, so for any security system, there exist ways to recover from failure or mistakes, and ways to recover from failures to recover, and so on.
Yes, this means you may spend a couple hours talking to the police afterwards, but you won't be forced to camp outside of your apartment on a cold winter night, because you've left your keys at work.
There are real-world situations, particularly in remote areas, where you can't rely on someone else to bail you out if you screw up. But they're not typical, and yeah, the analogy breaks down if you push it too far.
I think the advice of having multiple independent ways to log into an account is still good. Unfortunately, Google doesn't provide backups for the threat model of "Google locks you out due to an automatic policy decision" so you have to figure it out on your own. Similarly for other services.
How is a password manager a single point of failure? Mine syncs between multiple devices. I've had the same primary password for a decade now, and I've already forgotten it... I can't reproduce it without putting fingers to keyboard. It's the one human-chosen password that I ever made strong... 30-some characters, pretty fucking random. My wife knows it too.
But now you'll tell me that Google is more trustworthy than her.
It depends on the password manager you use. If you’re using Google or Apple’s password manager, you’re probably okay if you lose a device, but the one risk you can’t fix without having another password manager is if they cancel your account.
If you use both of them, though, that covers it.
Passkey syncing across password managers isn’t implemented yet, so it means manually adding an account in both places if you go that route. Hopefully that will be fixed by a new standard.
> It depends on the password manager you use. If you’re using Google or Apple’s password manager,
Are those even really password managers? I used to use 1Password, but got tired of only being able to sync through iCloud. About a year in, I switched to Enpass since it did webdav. Biggest gripe is that there is no native Xbox app with it, make it a pain to track some of the kid's game passwords.
They store passwords, and now also passkeys. How are they not password managers?
They’re probably the most-used password managers, since people use them without necessarily realizing that they’re using a password manager.
The thing about passkeys is that they make everyone use a password manager whether they want to or not. It’s a protocol that requires a password manager - there is no manual way to do it.
For any locked door, you need more than one key and they should be independent. If you have independence, they serve as backups for each other.