Not that I don't trust them but I always recommend using a dedicated PW manager like KeePassXC which is FOSS and has been security audited, plus it gives you full control over where you get to store your PWs and how they're secured and generated.
Wen I use a password, I look it up and type it in by hand. No autofill is possible, intentionally.
Not to say that KeePassXC isn’t useful if you want even more fine-grained controls, but it seems like in the
> Use password in browser
Use case, KeePass would actually weaken the security guarantee by adding a second component you need to trust.
This is what Firefox says when I go to export my logins: "[!] Your paswords will be saved as readable text (e.g., BadP@ssw0rd) so anyone who can open the exported file can view them."
KeePassXC on the other hand gives me a simple encrypted database file that I can copy around to different places for some peace of mind.
We all have to gear our security mechanisms toward our particular threat assessments.
That's effectively what almost all of them say when you export your logins (usually as CSV, JSON, or XML), because they export in plain text, because you don't know what the user needs it for, up to and including manual imputation (better than expect a random user to have to learn how to print out a database, or worse submit that database file to some online service to print out).
Users aren't necessarily highly computer literate, we don't want to prevent people from having security, but even if they were they may still have use cases that do not accept such a database (migrating password manager that don't know your previous one, perhaps), so most of them use (unencrypted) plain text and just accept they'll have to leave it in the user's hands, and warn them it's exposed.
We'd absolutely love there to be safe, portable ways to move our data around such that it remains encrypted while migrating, yes, but that's just not something our current crop of software really enables fully these days, unfortunately.
Much more convenient and quick and still reasonably secure.
That's certainly possible, but if malware were able to get installed despite my other protections, then I probably have much larger issues. And the keylogger would have to phone home with the data, which is unlikely (but not impossible) to happen without raising some alarms.
So I'm more worried about sharing data with the password management company systems themselves. If there's no real reason to send data over the net, then I don't want to send data over the net. The smaller the attack surface, the better.
It's just my personal policy. In reality, I don't consider either keyloggers or password management company computers to be huge enough risks that I lose sleep over them. Plus, I don't want to become reliant on a particular piece of software to do important things -- typing my password by hand means that I'll have the most common passwords memorized, so if something goes wrong that prevents the use of the password manager, I'm not locked out of anything.
I'd even say "adding a second vendor you need to trust". Yes, these days there seems to be a strong drive to just get a big package out of a single hand. Like having the browser closely tied to the OS. I don't like it. I prefer to choose the individual parts as i see fit. Keepass and some bit of custom sync, in this case. Now, in the same vein I expect MS & Google making it easy to support different browsers, I'd want Mozilla making it easy to integrate other password managers. I'd love to be corrected, but afaik the "password manager with extraordinarily well-integrated browser compatibility" doesn't offer any way or API to connect my keepass with it. Its only for Mozilla's own stuff. Not the open, user controlled system i'd love Firefox to be.
The Firefox Android Addon system is even worse... only a very short list of pre-approved extensions are available. With the escape hatch for devs requiring some stupid online-account. Sorry, but how is that different from an App store without side-loading?
Still recommend using Firefox, since it is the best we have. But yeah, i don't like the less and less open direction apparently chosen by Mozilla. And wonder if not being a good role model will hurt them down the line...
You need to install Firefox Nightly.