[chainsaw10]

I feel like just having a browser extension is a major security hole for any password manager. Yes it's more usable and prevents domain spoofing, but it makes the attack surface huge.

Whereas to exploit a desktop app that doesn't interface with the browser (written in a decent way), you'd need code execution already.

Thoughts?

[hdhzy]

I think it depends on the extension. For example browserpass [0] can be only invoked on button press in browser's Chrome (not via scripts on page) and while it runs native app via Native Messaging it just uses JSONs to communicate.

[0]: https://github.com/dannyvankooten/browserpass