[closeneough]

I would NOT recommend the chrome password manager. If you sync your passwords, they will not be stored encrypted at the google side. You need to specifically set password encryption in the settings.

I've also spend a lot of time with understanding password managers in my master thesis. What I can recommend is: https://pfp.works/

The creator was auditing password managers like LastPass, found a lot of issues, and used his knowledge to create pfp, which does it right imho.

[baobabKoodaa]

The instructions on PFP website for how to do various things, they often begin with the following steps:

> Click PfP icon on any website

> Enter your master password

Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?

[closeneough]

Pfp puts the icon in the browser bar, to counter such action. So the pop-up can only be opened this way and the pop up is in a different context than the website itself.

Yes the pop-up could be faked, but not the button.

Actually Tavis Ormandy found a lot of security breaches in password managers that loaded GUI elements into the website. Not only that you can fake it, but also they are susceptible to clickjacking.

[anka-213]

They did the thing that Tavis complained about: "No need to trust us, your data stays on your device (safely encrypted)"

You still need to trust that the software is secure.

[closeneough]

Yes you need to trust the software. But unless you don't store it on your computer, you need to trust software. The hard part is to figure out which software and whom to trust.

I would definitely use the browser password manager, if I could choose where to sync the data to. I think it's possible with firefox, but it's not straight forward.

I personally trust pfp, because the creator is doing audits of browser addons and publishes them on his blog. They are very well explained.

Also the code is quite compact compared to the other password managers. LastPass, 1Password and Bitwarden have more than 100,000 lines of code, including many third party dependencies. So an audit of PfP is more feasible.

[dxld]

Could you share a link to your thesis?

[closeneough]

It's still in the works and unfortunately I've written it in German. If you're still interested I'll share a link as soon as it's released. Should be sometime this summer.

[whereistimbo]

Isn't it encrypted using the Google Account credential, if you don't specifically set a password?

[IshKebab]

It is locally, but server side it is less obvious. They don't really say explicitly but this page strongly suggests that they are encrypted server-side too: https://support.google.com/chrome/answer/10311524

[shawnz]

That page is referring to their password breach detection feature though, not password sync. The sync pages have language which indicates that the encryption is only end-to-end if you use a passphrase. See:

https://support.google.com/chrome/answer/165139?hl=en&co=GEN...

> With a passphrase, you can use Google's cloud to store and sync your Chrome data without letting Google read it. ... Passphrases are optional. Your synced data is always protected by encryption when it's in transit.