[kerng]

>> Anything that isn't context aware (i.e. knows which website you're on so can provide the relevant information) is doomed to failure right out the gate.

Sorry, not doomed to fail.

I'm not gonna use a password manager that is "context aware" and has the capability to auto-fill for sensitive sites - that's just my threat model. I'm okay with context aware storing of less critical passwords.

[ahupp]

It's not just usability: The context awareness means it will prevent you from filling a password on a phishing site. I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error. Even skilled security-aware users fall victim to phishing on a regular basis, so I'd rather trust the software.

[tripzilch]

> The context awareness means it will prevent you from filling a password on a phishing site.

This is literally one of the last major attack vectors since password managers became somewhat more popular.

They all do encryption well, even the ones that keep the database on a server you don't control it's most probably actually encrypted, etc. They do the basic password manager thing. They keep your passwords.

Every time there's something wrong/vulnerable with a password manager, it is because it's a browser extension and the attack surface between the password manager and the browser is being attacked.

> I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error.

Well, it literally has been.

(this is why I'm using Keepass and no browser extension for my passwords)

[jsutton]

The vast majority of people don't have the same threat model, and unfortunately just want the product to work, or they won't use it at all. If you can't provide relevant information for the current website, you just won't be able to succeed as a password manager outside of niche markets.

[reilly3000]

Yes, but that's the essence of the whole problem: there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't. Diabling autofill pretty much eliminates the whole vector though, without breaking UX that hard.

[dsissitka]

> there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't.

Can you give an example?

[zarify]

There was this example from 2017. https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-u...

I seem to remember reading about similar stuff done elsewhere, but don't remember the details (or apparently a useful search term :P).

[kerng]

Isn't the XSS example highlighted here a good example?

[Wowfunhappy]

What is your concern exactly? Bitwarden by default doesn't autofill forms, you have to open the Bitwarden menu and click on the title of the website you're on.

There is an option to autofill, but it's buried in advanced settings and Bitwarden will display a warning if you try to enable it. (This message ought to be worded more explicitly—it currently says "this feature is in beta" rather than "this feature will decrease you're security"—but, still, not a default.)

[ericd]

What about the threat of misspelling the address or phishing? I get a lot of comfort from the fact that the extension verifies that I'm on the website I think I'm on.