I’ve used the Bitwarden extension for years and am very happy with it.
Why? I am comitting the changes to the main keepassxc database so no risk of data loss there due to some random browser update. I’m looking into hosting vaultwarden though, seems fun.
If that happens then I’m already fully compromised 
Using built-in browser password managers is not recommended:
Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have.
For example, the password manager in Microsoft Edge doesn’t offer E2EE at all. Google’s password manager has optional E2EE, and Apple’s offers E2EE by default.
Browser extensions are generally not recommended either.
Tavis Ormandy (former Google Project Zero member) also thinks the built-in password manager is favourable over extensions:
I mean.. doesn’t it all come down to threat models again?
rolls eyes
Genuinely not being sarcastic here but there’s always a con to a pro and always some drawback to something. These kinds of hindrances never end… there’s always something.
It all depends on the balance between convenience, privacy and security based on the threat model you have.
Also, no matter how big of an expert you are - in this day and age when Google Chrome is as bad as it is with it’s privacy and lately even security - I am not going to listen to someone who still uses Chrome as a browser (as that linked post says). Just bad advice to use Chrome in 2024.
Also from the linked article:
“If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality”
Really? Same functionality? I’m not sure how old that post is but this is objectively incorrect because password managers do a LOT more than just saving usernames and passwords these days.
So, I’m sorry but your argument may not fully stand and it certainly hasn’t convinced me.
Edit: I now see that linked article is 3 years old. In the world of privacy and security, anything older than 12 months with no update on the matter should be a non starter to even consider following an advice about. Just my opinion.
There’s no easy or definitive answer to all of this.
It securely stores and puts in username&password for you. Everything else is just candy on top. 
Not trying to convince anyone. Keep in mind though that Tavis Ormandy is a world class security expert and hacker so I wouldn’t easily dismiss his opinion.
I vehemently disagree. But you have your views and I have my understanding on the matter.
That may be. But it’s a 3 year old piece of “advice” or thoughts from him. I or anyone should not follow it.
Also,
It is a password manager. A piece of software that is meant to store highly sensitive info. There is absolutely no justification of using your browser’s built in one. ESPECIALLY Chrome.
The fact that this person has written that is enough - for me at-least - to not take that person seriously in any capacity. Again, personal views here.
But, the browser is already trusted with the passwords. It’s the web browser. Storing passwords in plaintext is never good but, in a secure system other applications shouldn’t have access to it and the system partition should be encrypted.
Can you explain this? If I am not storing it in the built in password manager, then how is it already trusted? Do you mean just by simply signing into websites it is trusted?
My contention is more with the article saying using Chrome is okay. Using Chrome is never okay. That’s one hardline thinking I will not change of mine.
The browser is already trusted with handling your passwords that you input in to it, if it was malicious your passwords would be compromised regardless of whether you use the builtin password manager or not. I don’t see how trusting the browser with password management is bad due to the activity being privacy sensitive (it can be really bad if you rely solely on it and lose your passwords, hence why I only use it right now as a secondary thing so that I don’t have to retype my passwords every time in websites that refuse to save my logins).
Like I said before, my contention is with Google and Edge more than anything else. Because they sync with their servers and I don’t like that. No one should like or want that. It doesn’t make it private. It may make it “secure” but even that (with the new Chrome gaffe) it is questionable.
Either way, using the built in browser with the highly limited capacities feature and functionality wise compared to dedicated password managers is not good OPSEC. This is not news.
I’ve never had a problem with it, the KeepassXC add on in multiple browsers. There’s just the Browser Integration tab in the KeepassXC application Database Settings to enable.
Bully for you! Not for me and I bet many others too.
you won’t be able to use passkeys on desktop without them 
On Brave your passwords get synced in an e2ee “sync chain” over which you have full control. Also the passwords are locally stored in your keychain on macOS and Linux (not sure about how Windows handles it), which is as secure as it gets.
This is cool functionality, but still has the potential issue of aiding in a sandbox escape if there’s a vulnerability there (since it needs to talk to things outside the sandbox), no? Is there a reason to trust that Brave can do this more securely than the KeepassXC extension?
The problem with this is that you’re now relying on a browser to handle these passwords for you, you’re now entitled to the ecosystem, making browser/ecosystem switching (a little) harder than before. With standalone password managers like 1Password or Bitwarden, you don’t have to rely on a browser, and you can use it on any browser, regardless of the operating system you’re using and regardless of the browser you’re using.
Also, I’ve just done a bit of testing with Brave’s password manager and I was very surprised that you can’t generate passwords directly from Brave’s settings, and if you generate a password from a website, you have no customisation for password generation, it generates a (16 character?) password with no special characters and AFAIK there’s no way to change that. Since Brave is Chromium-based, I guess this is the same for any Chromium-based browser (maybe with the exception of Edge, which is Chromium-based but changes a lot of things about the UI and such).
Just read it. Holy shit. He is right about the breaking of sandbox. On the other hand, Chrome’s password implementation does not have E2EE, afaik. Probably he is fine with Google knowing his passwords. 
There is E2EE but it’s optional as far as I know.