My concern with The Nostr, unlike the password manager, is that implementing a master password like bitwarden would actually make the master password and nsec the same thing.
If so, users would have to worry about managing the master password instead of the nsec, which would not be fun.
I have the same concern actually. Here is my line of thinking:
Ultimately, user has to remember some secret (or have a reliable device storing that secret). Password can at least go through a hard key derivation function and be much shorter then the actual nsec and easier to remember. And w/ webauthn as a second factor, a leaked password alone can't be used to recover key from the cloud and decrypt it - user could be notified about the failed cloud access and be asked to change the password.
I need to think more on this, I feel like there is still something here in what you're saying.
Oddbean new post about login | logout