[JohnStrange]

I agree that browser-based password managers and password managers on Android are insecure. These platforms have huge attack surfaces.

I'm using ForgotIt? [1] because I'm its author. It doesn't have a browser interface and doesn't have a mobile version. I would make a version for iOS if I used an iPhone, but I have never planned to make an Android version, because Android devices are just too insecure. (They are theoretically secure but in practice most of them don't get enough security updates.)

That being said, ForgotIt? also has some weaknesses that are laid out in its documentation. It doesn't lock memory, so you should use encrypted swap or disable it, and its keystretching algorithm compromises a higher security margin for speed.

Depending on your threat scenario you can also keep some of your passwords written on paper in your wallet. You could also keep them in a physically secured place like a wall safe. If you're worried about targeted attacks, that's in fact the best choice for most people, since no current operating system, no PC, no tablet, and certainly no phone is currently safe from a targeted attack by a dedicated adversary.

[1] http://peppermind.com