[elpatokamo]

Besides convenience, one of the benefits of autofill is that it offers some implicit feedback about potential phishing sites. For example, your O365 credentials shouldn't autofill on off1ce.com. If I was on a site and noticed that my credentials didn't autofill (or offer autofill) when they normally would, this would immediately raise some red flags for me.

The article does looks at how password managers autofill on different levels of subdomains, which is relevant to my point above - a hijacked subdomain would be a problem for many of the password managers he tested.

[inyourtenement]

Your first point doesn't really seem valid when comparing manual to automatic autofill. When I manually autofill, my password manager will show a suggested list of matching passwords. off1ce.com would not suggest my Office password, so I would still be alerted to a phishing site.

[dbriles]

I'm not sure I follow - automatic autofill and manual autofill would both raise red flags by not automatically filling in credentials (automatic autofill) or not suggesting credentials (manual autofill).

edit: I think I understand. My first point doesn't show that automatic autofill is better than manual, because both methods will raise red flags. I.e. this isn't a reason to choose automatic over manual autofill. I think this is a fair point.

I do think that both autofill methods have an advantage over simple copy/paste, especially given the XSS discussion in other threads here.