[TwoBit]

> attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site.

I don't think that reusing the same pepper (horcrux string) for all sites would be best practice.

[toasted_flakes]

If only we had a secure place to store all of the horcrux strings that are unique per-website!

Joking aside, I don't see the point of this. It guards against exactly one attack (your password manager somehow revealing all your passwords) which is unlikely, but not against a whole lot of other (slightly more generic malware, phishing, ...) whilst making logging in harder (there's now a manual process).

If you're willing to go such lengths, enable 2FA on more accounts (which the articles mentions, points for that) or get a physical token for your password manager.

[djeiasbsbo]

That might be likely if the password manager database is stored in the cloud. iCloud hacks seem to be at least somewhat common and iOS users often hsve no other means of syncing their password manager database.

[gruez]

Isn't that a non-issue if the cloud version is encrypted?

[starfallg]

That defeats the point of using a password manager more or less. You're just remembering individial passwords but it's even more complicated now.

[ska]

That's ok - just use two different password managers and merge the parts manually on login ;)