How do you account for the difference between using a browser-based native password manager and a dedicated password manager extension in terms of threat assessment? It is universally agreed that extensions increase the attack surface and might interfere with the browser’s sandboxing. Similarly, browser-based managers can easily be extracted by info stealers or similar threats. I would like to know how a strike of balance were made for PG suggestions in this regard. I would also love to know if the presence of an onboard TPM and using it (via trusted path) to authenticate stored passwords in the browser makes any difference?
Would love expert opinions and apologies if my judgement is wrong as Iam not very knowledgeable in this regard.
If I understand correctly, you’re trying to compare using a password manager web app versus a browser extension? There’s technically a give and take with each but I strongly prefer the browser extension. I avoid web-based cryptography because it’s almost snake oil. By using a browser extension you’d potentially increase your browser attack surface and “fingerprintability”, but it’d better protect you from phishing and typosquatting and isn’t as weak as web app crypto.
If you don’t want to risk weakening your browsers privacy or security by any means necessary, you’re better off just using a native desktop application.
As far as extensions go, password managers are ok to use. For autofill, don’t let it enter login info automatically - make sure to set it so that it’s somewhat manually entered where you have to interact with it by clicking on a popup that appears over the login field. This way your login info isn’t captured by hidden fields on a malicious site.
Using any password or banking extensions just became more dangerous because a polymorphic extension can steal your credentials from right in front of your eyes and most people probably wont even notice until its too late.
Yeah, this is exactly why I came up with this question. Just like most 3rd party AVs increasing the attack surface due to their nature of operation, I sometimes feel like additional extensions, including password managers does the same to browser inbuild security.