How do you menage passwords now?
being managed by the device keystore and never leaving the device (unlike passwords).
being managed by the device keystore and never leaving the device (unlike passwords).Which makes is a nightmare to manage if you want to access the service from multiple devices. Also, I have not seen any of those in practice, so I don't know how "many" there actually are.
Plus now that Apple embraced it, in a typical Apple way, I expect them to screw it up somehow.
One way password managers are better than native browser store is that browser will happily export the passwords in the clear while password managers would ask for the master password.
How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?
How so? Which browser store will export (or reveal) passwords without first asking you to enter the master password?Both Firefox and Chrome will do this.
You may need to be logged in into your account, but do you really log out all the time?
I use Firefox as a secondary browser and I don't have any accounts setup, and it lets you export the passwords, there is not even a master password to enter. I don't want to log out of chrome to check.
Not Chrome in my experience. Even when logged in there is no way to reveal passwords without secondary verification.
Although this article https://www.alphr.com/view-google-chrome-saved-passwords/ suggests that it should ask for the OS (?) password. I'm using official Chrome on Linux and see nothing like that.
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).
what you do if your phone goes belly up?
SMS confirmation
Two factor authentication never ever blocked a hack attempt, in my experience.
About two factor authentication, it's horrible, because it makes you dependent of a second device (what you do if your phone goes belly up?), and because it automatically disclose your identity (your phone number is also your global UUID).
Is it possible you are using some kind of reduced security settings?
[Citation needed]
Many websites and applications are moving away from passwords and using Fido instead, which is significantly stronger, using asymmetric keys, the private key for the application being managed by the device keystore and never leaving the device (unlike passwords).
The problem with these mechanisms, stuff like OAuth being the poster child, is that it's almost impossible to use correctly on the server side, it's so bad that the author of the OAuth spec actually resigned from the editor position rather than be further associated with it. So with randomly-chosen per-site passwords, as several people have pointed out, you're about as safe as you can make yourself. With single-point-of-failure systems like OAuth and others you're only safe as any site you use or your auth provider is. If they get popped its game over for you and everyone else using them.
In terms of phone-based 2FA, the OP needs to specify which 2FA they're talking about, is it SMS or a 2FA app using (typically) TOTP? Those are pretty good, I'd recommend looking at Authy for that and then use it for any critical account where money can change hands.