[elwell]

What is your argument for that? That people will choose better passwords (unique and long) since they don't need to remember them?

The Achille's heel of password managers is if someone accesses your computer (physically or remotely) they can probably access all your accounts. <-- and I've seen this happen (not to me)

[UncleMeat]

Yes. The huge huge huge majority of credential attacks are stuffing and phishing. Unique passwords prevent stuffing. We observe that everybody reuses passwords unless they use a password manager. Password managers with auto fill can also provide some defense against phishing since they won’t auto fill.

The Achilles heel you mention matters very little since it is a very rare threat model and it would be unreliable to assume that access ends at some point rather than that the adversary simply installed some persistent malware to read all future passwords.

[elwell]

> it is a very rare threat model

I agree, but perhaps password managers aren't a one-size-fits-all solution. People in high risk situations (e.g., admin @ crypto companies) that are likely to be specifically targeted, might be better served without a password manager. But yes, if RDP, e.g., is left on and open then a keylogger could be installed anyways...

[UncleMeat]

Admins at crypto companies should be getting security advice from their security gurus rather than from the web. It is reasonable to suggest that most people use a password manager. For the few people where this isn't good enough, they likely know who they are.

[andrewzah]

It's much more difficult to compromise someone's computer than it is to obtain/get one of their passwords thru phishing/guessing and then try the combination on a bunch of sites.

It's -vastly- better for casual users to have secure, single-use passwords instead of what most casual people do: have 1-2 insecure passwords with variations. Thus allowing any phisher to get access to everything anyways.

Just because something isn't perfect doesn't mean it is not an improvement.

[kevincox]

If they can access you computer they can probably also access your email and get the sign-in links.

[_carl_jung]

This is not possible if your password manager itself requires a password. Unless you mean "password managers don't work because someone might know the master password" which is true, but realistically the alternative is just using the same weak password all over the web, which is way worse.