> is it a good idea to have a single point of failure for your logins?

Just like logging into to 2 SaaSes from the same computer... at which point a keylogger/camera/microphone on/near that computer becomes the single point of failure.

There is a point at which too much paranoia paralyzes a person into inaction. Criticizing people for not defending against nation-state level attacks (eg. Password Manager attacks) when we can't even defend ourselves against the neighbor's son (credential stuffing without 2FA) seems like putting the cart before the horse.

While I really like 1Password - I do in my more paranoid moments wonder if it's become so well known and popular that it's probably a worthwhile target for attackers smaller than nation states?

It's pretty obvious some of the cryptocurrency thefts have been for amounts far in excess of what a seriously talented group would need to consider taking on a password manager...

fwiw a password manager doesn't have to be such a single point of failure.

I use `password-store`, which means to get a password I just need access to my gpg key.

My gpg key lives on 3 yubikeys and in 1 bankvault as a paper backup.

If my main yubikey is destroyed or I somehow forget the pin to it, I just need to go to the bank vault.

If I wanted to err on the side of being more able to access it, I could leave an unencrypted copy of the gpg master key with a trusted friend.

Since there are many password managers with different models, I think it's difficult to quantify exactly the failure mode of each.

However, the reality is almost all security experts recommend password managers, and almost everyone who uses 1password for a while doesn't want to go back.. so clearly there's something to it.

The only people I see doubting are people who have uneasy feelings but haven't really written down their threat model nor consulted security professionals.