[revasm]

The problem with in-browser password management is that the attacker does not need to escape the browser. Code injection (via XSS or a browser exploit) into a running extension is likely easier than defeating the seccomp-IPC implementation or the AppArmor/SELinux profiles which protect the system. Addons like LastPass are mainly concerned with remote server weaknesses, but nothing will protect the browser from itself.

Another opinion: It's weird loading a browser+environment for non-browser passwords (SSH, HTTP/WebDAV, etc), and it's equally weird managing the passwords separately.