[geocar]

This isn't unique to Apple: Google has adopted the same policy.

It's not clear what the best solution is here, or if the best way to have the conversation about it follows hyperbole like "the most disturbing thing".

I think password managers are on the whole a good thing because people are using more (stronger) passwords.

I also think the password manager could (at least on trusted hardware like an iPhone) provide some protection from the attacks you're alluding to, such as a tarpit that slows access to the password database, but they certainly won't offer any protection on a desktop machine without specialised hardware and it might be difficult to get right -- difficult enough that new security vulnerabilities are introduced instead.

What exactly do you propose?

[discreditable]

I think Firefox's solution is a little better. You can set a master password which is used to encrypt the password database. To unlock you have to enter the password. You can browse without unlocking.

[geocar]

Both the iPhone and Google Chrome ask for authentication before showing the passwords.

Firefox works similarly: Once you unlock it, you see all the passwords. On an iPhone or Google Chrome, you have to click each password you want to see.

[sowbug]

Fortunately, Chrome for Linux and Chrome OS don't ask. Both OSes trust users to control access at the session level.