passff and other tools like them scare me too much. That browser extension has too much power. All it would take is the author to sell it to some bad actors (or turn into one) and a lot of people will be having a very bad day.
Pasting my password into a form isn't that bad, and it feels far safer.
I use a couple of little scripts to do something somewhere in the middle that I'm happy with:
`fzf-dmenu` spawns an alacritty window running fzf over given input.
`pass-dmenu` calls the former with available password names; takes the result (if any) and decrypts & types it with `pass show $result | xdotool type --file -`.
(And if it's not obvious, that's bound to a keypress, so from the browser I just hit F4, type e.g. 'hn<CR>' and my password is entered into the focussed input area.)
Some distros package browser extensions, so you can install them via your regular package manager. For example arch packages firefox-extension-passff (I haven't personally used it though)
Pasting my password into a form isn't that bad, and it feels far safer.