If an attacker has root access to your machine, he can easily:
* Extract passwords and session tokens from your browsers
* Keylog your system and wait for you to type a certain password
* MiTM your TLS connection to grab credentials
>This is not an argument at all. Let's consider the situation when individual service gets compromised. Attacker has thousands of salted hashes
Wait, who said they are hashed? Perhaps an irresponsible webmaster stored them in plaintext. Now, even if that service itself isn't very important, it's likely that certain users re-used the same(or a similar) passwords in more important services, such as Google.
Now, while you're right that using a single master password does pose a risk, there aren't other viable solutions to secure password authentication,
unless you;
Memorize a strong password for every service that you use
Never share passwords among the services
Don't store saved logins in your browser
Never link your services to your email (because then if your email account is pwned, your accounts in those services would be pwned too, another "all eggs in one basket" issue)
If you can do all of the above, then great, but most people can't.
>Memorize a strong password for every service that you use
I keep hearing this argument and i think people who use it just don't understand why password has to have high entropy (e.g. strong). It's not to stop attacker from bruteforcing login page (nobody is doing it nowadays), it's to stop attacker from cracking hash, if he gets it. If password is unique, it doesn't have to be strong.
>If you can do all of the above, then great, but most people can't.
And this stuff again... "Security is hard, just use this password manager, dum-dum." All you have to do, is divide your accounts into two groups: accounts you care about and accounts you don't. Most people would not have more than 4-5 accounts in the first group. Create and memorize strong password for them. For the second group, you couldn't care less, so use passmanager, that is the only good use case for it anyway.
>This is not an argument at all. Let's consider the situation when individual service gets compromised. Attacker has thousands of salted hashes
Wait, who said they are hashed? Perhaps an irresponsible webmaster stored them in plaintext. Now, even if that service itself isn't very important, it's likely that certain users re-used the same(or a similar) passwords in more important services, such as Google.
Now, while you're right that using a single master password does pose a risk, there aren't other viable solutions to secure password authentication, unless you; Memorize a strong password for every service that you use Never share passwords among the services Don't store saved logins in your browser Never link your services to your email (because then if your email account is pwned, your accounts in those services would be pwned too, another "all eggs in one basket" issue)
If you can do all of the above, then great, but most people can't.