[dgrove]

Lots of talk about passwords, but fewer about password managers. The password managers listed in this do not protect against backdoors. Lastpass, for example keeps all your passwords in plain text once you've unlocked it. Passwords stored in Apples Keychain can be synced across devices and a remote attacker can do something like a sim port, gain access to your iCloud account and then sync to their computer leaving you vulnerable.

Password managers should be bound to hardware tokens and each password should be individually encrypted, as well and individually decrypted that also force physical tap.

Password Store is a perfect example of this. Physical password managers are also on the rise, see: Ledger and Mooltipass

[tptacek]

I don't believe it is the case that you can SIM-swap your way to someone's iCloud Keychain. Despite the "iCloud" in the name, it's not simply a file stored on iCloud; it's bound by keypairs to both devices and your iCloud password.

[saagarjha]

I think you need to provide approval from one of your other devices, or enter your iCloud security code before the sync can occur.

[dgrove]

iCloud security code can come over SMS if your account is configured as such, therefore the above example of a SIM port applies

[tptacek]

No, the iCloud second factor can come over SMS. That's not the same thing as your iCloud password.

[saagarjha]

I'm not 100% sure about this, since it's been a while since I've added a device to my iCloud account, but IIRC the prompt is not the standard 2FA one: it basically asks you to approve the addition from another device, or forces you to use your security code.