Apropos nothing, today seems like a good day to re-read 's post on password manager security. lock.cmpxchg8b.com/passmgrs.html
Conversation
This Tweet was deleted by the Tweet author. Learn more
The lack of plausible alternative password managers is one of the stickiest features in Chrome.
This Tweet was deleted by the Tweet author. Learn more
True, there's quite a bit authors can do to protect their extension (sadly, most don't). That stated, you still have the core issue that establishing a communication channel for extensions inherently weakens the site isolation sandbox's protection against a compromised renderer.
2
1
I think there are solutions to those problems. We could have more agreement between browser makers and extension authors if we had better extension APIs—enough to implement the built-in PW manager as an extension. Is Chrome interested in accepting contributions along these lines?
2
1
2
That doesn't help on mobile where we don't have extensions.
2
Android has an OS API for autofill including for password managers:
developer.android.com/guide/topics/t
Chromium decided to go out of the way to break it for users on devices without Play services though. It used to work but they removed the native implementation and use a worse Play one.
