[Zinggi]

> Doesn't this increase your attack surface greatly though?

That's true. I suppose it's a trade off between protection against lost vs. smaller attack surface.

> Since there's no master key, one has to only compromise the OS to get at everything

That's wrong, compromising one device doesn't give an attacker anything useful. Only if two or more devices have been compromised can passwords be decrypted. But in any case, I think if your device is compromised you might be in bigger troubles anyway. E.g. if an attacker controls your device, ransomeware might be easier and more lucrative to them than going after more devices to hunt for passwords.

[craftyguy]

> That's wrong, compromising one device doesn't give an attacker anything useful

Yea I understand that, but by having a large number of devices with this on it, you increase the chances that any two of them could be compromised. That was my point, I just didn't articulate it well enough.

[smittywerben]

Does anyone use a password manager for critical accounts?

I use them to generate random passwords for sites like yahoo or neopets (or whatever).

[jsjohnst]

My GitHub.com password is >100 characters long and I deem it a critical account (hence the password length), so yes, I do use a password manager for it.

[Zinggi]

Oh, than I misunderstood, sorry. You're absolutely correct.