[jjav]

Password managers completely solve #3 and #4. They also largely solve #1, unless the leak happens from a company that stored them in cleartext or base64. But since the password was unique, it doesn't matter in practice except for that single backwater site so who cares. Not a threat.

Password managers don't solve #4. But you left out the huge one, losing access to the account. Which for most people is a larger risk than all the others put together.

For just about every person and account, the near-zero chance of getting personally spearphished is much less relevant than the risk of complete loss of access.

[jesseendahl]

>But you left out the huge one, losing access to the account.

Losing access to your passkey/password manager is a separate concern from the strength of the credential itself. Passkeys and passwords are just credentials. What you use to manage them is a separate concern. The concern about losing access to your passkey manager is super valid, but that same concern applies to all password managers that exist today. It's not a new concern that's specific or unique to passkeys. Yes, if you lose access to your password/passkey manager, then whatever solution you're using better have a great recovery story.

I know that at least both 1Password and iCloud Keychain have pretty great recovery flows. I am not sure about Google or the other password/passkey managers (I haven't looked into it deeply).

>of getting personally spearphished

100% agreed that most people don't need to worry about spear-phishing attacks. But that's (sadly) not super relevant, because many users fall for run-of-the-mill basic phishing attacks that any reader of HN would never fall for in a million years.