[sebk]

I'm not sure that the crypto used is the weakest link, but even then, I would very much like to see a user-configurable memory-hard KDF, authenticated AES, and FIDO2 hmac-secret support. All of which should be relatively tablestakes for a product like this.

The option of self-syncing or self-hosting seems important as well, so users can decide to trade off having a team of engineers keeping the server secure and up to date with being a less interesting target to compromise.

In terms of client-side compromise, I'm significantly more worried about OS/browser compromises, malicious app updates, or for those cases where there's no OS-mediated autofill API, clipboard sniffing.

In the end, I think password managers will always have issued and will have to settle for "good enough", or better than memorizing passwords. They're too big of a target for attacks and their surface area is too big, too. Password managers do more than storing login credentials, but for that key use case, adoption of Passwordless WebAuthn can't come soon enough.