[Someone1234]

Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.

I'd prefer people are using any password manager than go for perfection and then quit completely because it was a terrible UX. KeePass may be more secure against certain specific attacks, but it is largely irrelevant if people are going to contrast it against using no password manager at all because it was too cumbersome.

[Ajedi32]

The bigger issue is that anything that's not context-aware is vulnerable to phishing.

You might think you'd notice if the site you're on had a different URL than the one you're expecting, but that level of constant vigilance might turn out to be more difficult to maintain than you expect. Especially when you take into account some of the more exotic phishing techniques like IDN homograph attacks.

[Tharkun]

Even more so with browsers actively trying hide URLs.

[kerng]

>> Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.

Sorry, not doomed to fail.

I'm not gonna use a password manager that is "context aware" and has the capability to auto-fill for sensitive sites - that's just my threat model. I'm okay with context aware storing of less critical passwords.

[ahupp]

It's not just usability: The context awareness means it will prevent you from filling a password on a phishing site. I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error. Even skilled security-aware users fall victim to phishing on a regular basis, so I'd rather trust the software.

[tripzilch]

> The context awareness means it will prevent you from filling a password on a phishing site.

This is literally one of the last major attack vectors since password managers became somewhat more popular.

They all do encryption well, even the ones that keep the database on a server you don't control it's most probably actually encrypted, etc. They do the basic password manager thing. They keep your passwords.

Every time there's something wrong/vulnerable with a password manager, it is because it's a browser extension and the attack surface between the password manager and the browser is being attacked.

> I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error.

Well, it literally has been.

(this is why I'm using Keepass and no browser extension for my passwords)

[jsutton]

The vast majority of people don't have the same threat model, and unfortunately just want the product to work, or they won't use it at all. If you can't provide relevant information for the current website, you just won't be able to succeed as a password manager outside of niche markets.

[reilly3000]

Yes, but that's the essence of the whole problem: there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't. Diabling autofill pretty much eliminates the whole vector though, without breaking UX that hard.

[dsissitka]

> there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't.

Can you give an example?

[zarify]

There was this example from 2017. https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-u...

I seem to remember reading about similar stuff done elsewhere, but don't remember the details (or apparently a useful search term :P).

[kerng]

Isn't the XSS example highlighted here a good example?

[Wowfunhappy]

What is your concern exactly? Bitwarden by default doesn't autofill forms, you have to open the Bitwarden menu and click on the title of the website you're on.

There is an option to autofill, but it's buried in advanced settings and Bitwarden will display a warning if you try to enable it. (This message ought to be worded more explicitly—it currently says "this feature is in beta" rather than "this feature will decrease you're security"—but, still, not a default.)

[ericd]

What about the threat of misspelling the address or phishing? I get a lot of comfort from the fact that the extension verifies that I'm on the website I think I'm on.

[buildzr]

Yes, for less technical people that's great, but for people who are willing to deal with it for improved security, it's worth it. I'm not suggesting it to mom and pop here.

[cat199]

> Anything that isn't context aware .. is doomed to failure > ... I'd prefer people are using

why should I as someone who is securing my own passwords care about your preferences or what will and won't work for someone else too lazy to be concerned?