[mtgx]

> The proposed SQRL scheme derives all application specific keys from a single master key. This essentially provides a single juicy target for attackers to go after.

That sounds like the same problem password managers have. And yet they are still recommended over (re-)using your own passwords for each website.

[teraflop]

The crucial difference is that with a password manager, passwords are protected by a master key, but not derived from it. So you can rotate passwords whenever you want, either proactively or reactively, mitigating the effects of a password database compromise.