Interesting, but can someone tell us what this implies wrt. authorities? If someone gets your iPhone and forces you to press your finger on the TouchID, he gets all your passwords no? While with a general master password you could just pretend to have forgotten it?
In good news, a somewhat recent CBP case recently ruled in favor of Touch ID coercion needing a warrant and may be the start of a wave of change in court precedents to stop authorities from abusing biometric loopholes. One court win does not set a new precedent, of course, but it is hope that change may come.
Whichever way you look at it, in every sense, password managers are a really bad, bad idea.
Besides that, it is not needed to force you to press your finger; the delinquent needs only to have access to the device for to fool the sensor with a brute force, 2 hours in the worse of the cases with the simplest techniques. Although its easier to take your finger prints from a glass or something you used for to avoid the wait, or directly cut your finger if its a psychopathic criminal.
And in all the cases, once your fingerprint gets public it gets compromised until the end of the times, of course, you can not "change the passw".
This without talking about software infection with a remote attack.
I don't mean this personal, but I find it very very hard to deal with people like you in professional contexts. You focus on a 0.01% problem and make an absolute statement ("in every sense, password managers are a really bad, bad idea"), while completely ignoring that for everybody else, password managers (and even more so passkeys) will prevent real problems like their bank account being emptied.
At what point did password managers invent the idea of using a different password for each account? That is computing basics from the beginning. They didn't solve a problem, they just increased the lottery prize if the master password gets compromised.
Every body can continue down-voting, but that fact is not going to change.
> At what point did password managers invent the idea of using a different password for each account?
They didn't invent the idea.
They just made it useable for people who have a lot of different accounts.
I've got nearly 500 accounts, and based on a comment thread a while back where someone asked here how many accounts people have in their password managers I'm on the low side.
No, the lottery prize is exactly the same: Access to every site in the list.
The lottery chances have, however, dramatically changed, from no longer relying on the ongoing security practices of every single website you have ever signed into once being eternally a risk to breaching every single other website you have ever signed into.
Perhaps you alone can remember a cryptographically secure password for every website. But I’d more suspect your downvotes come from the impression you give of apparent inexperience combined with what looks like a child-like propensity to bluster.
Password managers did not invent this idea, but we can observe people consistently reusing passwords when they don't have a password manager. It is just undeniable at this point that users cannot be expected to consistently create strong and unique passwords for each service.
I would argue that password managers are not a "in every sense a really bad, bad idea" for a lot of reasons.
Let's look at password reuse for example. As soon as you have more than a few dozen logins, the possibilities are mostly either reusing one or few passwords, or writing them down.
Reusing is objectively bad, and for writing them down, the password manager makes it easy to use a really long and random password, which would make it tedious to write down.
Password managers makes the user life easier, at a big price if the master password gets compromised, as all the passwords get compromised at same time, in an unified way that by other methods would require much more specialization and effort for to gather together.
If that passwords are stored in internet even worst, one can take for sure those passw-managing servers are juicy targets, it is a countdown until the server will get compromised.
If the user is only storing the pass of chat forums, I think then is one thing the attacker probably will ignore, if the reverse engineering of one of those sites using user's name is not in the secondary target list.
Anyway, to use a unique password for every server, account, etc is a must do from the beginning of time, even for the temporal forum one had to register for to use a few minutes. It is the first computing directive. It's just the password managers are not accomplishing the objective of such directive.
Just because something is a "first computing directive", that doesn't mean people do it. If you're capable of remembering hundreds of high-entropy passwords, more power to you, but that approach doesn't work for most people. Password managers are better than reusing passwords between services, which in the real world, is the alternative.
I have hundreds of sites in my password database. Can you remember hundreds of random 32 character strings? I can't and I think there are very few humans who can
> once your fingerprint gets public it gets compromised until the end of the times
I'll just respond to this, as the other commenters are doing a fine job of addressing your other claims.
Your passwords aren't encrypted with biometric data of any kind on Apple devices (and I suspect that's true of Android as well). Simplifying a bit here, but it's broadly accurate: your biometric doesn't unlock your entire password database, it unlocks the stored secrets needed to decrypt your password database. iOS (and, likely, Android) devices have a simple way to force a passcode/password to be entered rather than using biometric data to unlock the device.
On iOS, activating the Emergency SOS feature (without subsequently calling emergency services) and then locking the device as normal (with the power button) will require the first factor (your passcode/password) at the next unlock attempt. No amount of finger-cutting or face-slicing can get past it. It's been that way for six years now, and was famously referred to as "the cop button" when iOS 11 introduced the feature.
