Phishing isn't a competence issue. This is well studied. In practice, even security practitioners trained to be vigilant against phishing attacks fall to targeted ("spear") phishing attacks of suitable sophistication; that's the impetus behind phishing-proof authenticators like U2F and WebAuthn.
I work in the security space and fell victim to an internal campaign as they sent a very enticing looking email at a point where I was on leave and my grandfather just passed.
You simply cannot know what mindset youll be in when you get phished :)
Edit: To clarify i was itching to work because it helps distract me from the reality that someone so dear to me was gone forever. I didnt want to cancel leave though because my output would have been absolutely turdy
Problem is that passkeys aren't resilient enough to loss of the authenticator device, which means a fallback flow is always made available, that is vulnerable to phishing/MITM/social engineering.
This is even more pronounced thanks to the efforts to roll out passkeys to the masses. Most of them don't understand what they're getting into and are most likely gonna get themselves locked out quite quickly, which may mean recovery flows need to actually become more relaxed than they currently are.
I'm not interested in litigating the broader question of Passkey-only login setups, only in spelling out why the field cares so much about phishing-resistant authenticators, which password managers and random passwords do not provide.
Can confirm, I know all about cryptography and security and the things, and I still got phished for a bunch of cryptocurrency. The only thing that saved me is that it was in a hardware wallet, so it was physically impossible to steal. Otherwise I was ready to happily paste my private key into the (official-looking) form and domain.
Ah you got me, though I don't think it changes that much.
Even with an online 'form' (presumably a phishing page) I don't understand why anyone would ever upload private keys for their wallets.
In the case of exchanges, users typically don't get access to the private key for the wallets anyway, so pretending to be an exchange to phish for something the victim can't even provide wouldn't make sense.
In the case of a local wallet, the whole purpose is personal ownership of the coins—which obviously becomes moot when sending the private key to some random person—so I don't see why a user would upload them in this circumstance either.
Though yes, the situation is certainly more understandable than GP posting private keys to an online 'forum' ;)
There's overwhelming empirical and anecdata evidence people make mistakes and fall for phishing. If that doesn't change your mind that much, it's not obvious what reasonably could.
Phishing is a technology issue, not a user issue.