Revisiting and revamping password management. For sake of this discussion, asking to accept the premise to not store/sync/transmit passwords through cloud services, even w/all the merits of iCloud.
What would be the best mix solution to address the following extreme cases?
Someone gains physical access and compromises your device.
Is it safer to manually type sensitive credentials, never storing on a device (albeit pia?)
Is it safer to keep pw in a pw app using autofill, protected by biometrics?
Someone shoulder surfs and uses surveillance to record credentials
Is it safer to manually type sensitive credentials, never storing on a device (presumably not.)
Is it safer to keep pw in a pw app using autofill, protected by biometrics?
Biometrics not protected as human right, where storing in one’s mind remains protected.
Where is the happy medium for strong pw management?
e.g. for shoulder surfing, Biometrics tend to be safer than passwords as they can’t be overseen being typed in, or guessed.
But if you wish to prevent access to your device and a bad actor (including Law Enforcement) has you and the device, you can be compelled to use those Biometrics against your will.
I think you need to do your own assessment of what the likeliest attach vectors are for you. For most people that would be the former example rather than the latter.
I agree with @geoffaire . You need to decide what you will be most comfortable doing.
In my case I use autofill protected by biometrics. I can only remember a few 20+ character random generated passwords, and it frequently takes me more than one try to even type those.
OTOH, I’m most likely, IMO, to have to surrender my phone when I’m traveling out of the country so I use travel mode to only take a minimum number of passwords with me.