I have always thought of browser password managers as less secure than a dedicated password manager. However I note that EFF advice contemplates use of browser based managers . See Choosing a Password Manager | Surveillance Self-Defense
This even suggests that browser extensions for dedicated password managers are a weak/vulnerabile point.
What is your take on this topic ?
Tavis Ormandy’s opinion on this topic: Password Managers.
You have to weigh security considerations and usability. Non-browser password managers offer features you won’t get on browser pw managers. I need some of these features, so I stick with a non-browser pw manager.
Thanks for the link . Interesting read although maybe a little dated ? Seems also to suggest using a browser’s password manager.
A good browser extension won’t autofill, but need you to do some keybinding combination to have it fill or mouse click.
I would stay away from using browser’s integrated password manager.
First off, if your device say desktop is shared with other family members, you will need to either
a) set a master password for browser (not everyone has) or
b) have separate browser profile (also locked with password) or
c) have a dedicated browser for yourself (prob. A portable veraion stored in a flash drive or veracrypt file vault)
Second, browser’s integrated password manager are pretty well known for being insecure (sorry for not quoting source here as I dont have the time to do so atm). While with password managers like KeePass, they have much less attack surface and much more secure, you can even use UTF-8 passwords, mine got an entropy of over 250 but fairly easy to type password. No need a 7 word passphrase.
Third, browser’s integrated password manager lacks functionalities and OS integration (esp. Mobile) offered by dedicated password managers like KeePassXC / KeePassDX.
Forth, not sure about bitwarden, but with KeePass works and store locally so every entry is always saved and backed up even when you offline. Enabling file versioning you can have even easier backup and recovery options.
Fifth, you can easily backup your family members password vaults easily without knowing their credentials, (as long as they remember their vault password , or still have the passkey).
Sorry I sounds like a KeePass salesman now 
Thanks for your detailed reply. I’ve used Keepass for years but more recently have been trying KeepassXC which has a native browser integration and browser extensions . Having said that I’m not entirely sure if the browser integration ultimately saves that much over Auto-type and the basic Keepass.
Can I ask if you recommend/prefer KeepassXC over basic Keepass perhaps with one of the Keepass extensions mentioned on the Keepass site ?
I use different devices with different OSs, and on each I use different browsers. I also use apps that require logins, so they’re not in browser at all. I use 1Password because it is a platform that works with all devices, browsers and OSs/apps.
I just use KeePassXC with their own browser extension, its good UX.
Never really tried the original KeePass, but I am quite settled.
I don’t need to do any of these because I don’t share my system’s user account with anyone. If you let someone use your system’s user account, at that point, the browser sharing would be less of an issue.
If one need to share their PC with others, they should create a new user account. A guess account is also an option.
Let me quote, then (04/02/2024):
A team of Greek researchers has published a study highlighting sensitive data leak risks in password managers due to the lack of encryption in all steps of data storage and processing.
Contrary to what most people’s belief, security experts and security researchers agreed that password manager’s security is a joke compared to the browsers’ password managers.
I find the PM I recommended is rather secure. I did not say any random PM could do the job.
One more point to note, to achieve the attack you linked, you will need to first compromise the browser, then compromise the system, then try compromise the PM, seems it poses a much higher bar then just compromising the browser.
Despite what this smart guy has to say; my belief is all browser-based password managers are less secure than a dedicated app. If only because my browsers are open more often and for far longer than my PM. So I don’t use them for anything important or non-trivial. InfoStealers and Password extractors are widely available.
It says a powerful adversary is targeting you…I don’t think you should have auto fill anyway, its not that much work to click and have it filled.
You’re absolutely right that browser password managers are often seen as less secure than dedicated tools — and that extensions can introduce risks. The EFF’s nuanced take reflects that tradeoff between usability and trust boundaries.
But there’s also a third way that avoids both risks: using the browser without storing anything at all.
Some tools run fully in the browser but never save, sync, or auto-fill anything — instead, they generate passwords deterministically from inputs like your master passphrase and the site name.
In that case, there’s no stored database to steal, no browser autofill leaks, and no extension API to exploit. It’s essentially a password manager without storage — built for users who prioritize privacy and want full control.
It’s not as mainstream, but for people with a strong threat model or who are privacy-conscious, it’s worth looking into.
Three words polymorphic browser extensions