[methodsignature]

> Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user.

Which gets targeted more and why, the user or the password manager?

If you are suggesting that we should be manually entering passwords into sites as copied/observed from our password managers, that removes the anti-phishing benefits of password managers altogether by giving primary control back to the human. If I never type a password again, those hackers sending fake login page links "from my boss" will never gain me. Not so with no direct connection between my password manager and my browser.

[posix_me_less]

You have a point, but I think technical people here are more concerned about buggy or malicious or badly interacting local software than about them falling for such phishing attempts on websites. I may be wrong, and I agree verifying validity of URL is a nice feature. A feature that should be implemented by the browser as well.

[gegtik]

this requires you to only remember one horcrux to add a layer to security, and it survives key rotation. there is a difference.