I like Chrome/Chromium's password manager. You just login the first time you open it and it autofills passwords. Don't have to install any additional software or configure anything, and it'll also autosuggest passwords you saved on websites in Android apps.
The only thing I miss sometimes is you can't manually add passwords.
The attack surface of a browser makes it a perfect target - I would not advise storing any critical passwords with the browser or in close reach to the browser.
You're going to be entering these passwords into a browser most of the time so if a compromised browser is your problem, no password manager is really going to help you.
That depends on time between compromise and detection. With password manager you'll lose only passwords for sites you actually logged in to. While with browser, you'll lose all passwords instantly.
I'm not sure I follow. If your browser is compromised that's it - it's compromised for everything. Your system is compromised. If I have control over your browser, I don't really need your passwords although I can likely get them out of whatever local password manager you have, to boot.
That's not how it works always. There are tons of compromises that do not imply system compromise, like XSS, or arbitrary browser process memory reads, or extension bugs, or java ghost scripts, etc...
There are many different ways to get compromised. Reducing attack surface is always a good idea.
And, yes I do close all browser windows/processes before login, and after logout of important websites for instance to make sure cookies and passwords are gone from browser memory.
I don't think this really addresses my point. You're saying the in-browser password manager is somehow more dangerous than some external password manager. I don't think this is true. And the browser presents the same attack surface if you're, you know, using the browser. If your browser is a vector for successful compromise, you're boned if you use the browser, whatever elaborate protective ritual you follow while using it.
Well, on Windows Chrome does use the system crypto API and encrypts, I believe, your whole profile, but only if you have a password set on your system account.
Unless they on-the-fly decrypt your chrome sync (which would require non-encrypted password storing), the stuff you sync to Google is encrypted with your Google password, and if you're paranoid, you can encrypt the sync with a separate password.
> the stuff you sync to Google is encrypted with your Google password
Your Google Password is also available to Google. (At least every time you log in, even if they properly hash and discarded it after authenticating you and just use a token from there.)
I highly suggest you read chrome's privacy policy on that password sync feature. Hint: when enabled on android the wifi password is unencrypted (or reversible, which is close to the same thing. they claim it must be so to work with wear)
I used to be a fan of keepass as well, but I moved to bitwarden maybe 18 months or so ago. For $10 a year for the paid version I get MFA and some other features. I find it a much more seamless experience than keepass/etc, as it works as a browser extension or a discrete app (the Android app uses accessibility features so it detects other Android apps asking for authentication as well as Android browsers such as Firefox). Anyway, just another thing to try if you are looking...
I moved to BitWarden too, but mainly because the browser extension for KeePass (Kee) didn't work well. BitWarden is good, but the Android app is nowhere near KeePass2Android, which I sorely miss.
I tried but on the thread page itself the reply button was missing under your comment. I guess I'll open the message direct link next time to reply when it's missing.
I feel it's slightly better to rely on something else for the syncing (even better if you do it manually). I just feel like a password safe would have a draw immense interest from bad actors, so you marginally decrease your chances by using something else for syncing. That way if password storage code was compromised somehow, it can't do much.
Then again, a password storage solution is probably investing so much more into security that it may be actually better than using something else..
What kinds of threats are you imagining though? KeePass2Android doesn't e.g. open any listening ports does it (I haven't checked)? (Not that NAT would make it easy to connect to it if it did anyway?) Are you imagining it would "accidentally" open a port? And you don't browse the web on it or otherwise run untrusted code on it. How are you imagining it would possibly get hacked? If it's connecting to e.g. Google Drive, then Google Drive or your DNS would need to get hacked somehow, and I'd hope it's checking certificates to prevent that (shouldn't be hard to verify this if this is your concern). If it's via Syncthing, your Syncthing would need to get hacked. In both cases your database would be hacked in which case you'd have the same issue with the offline version too...
OTOH you're losing entry-level syncing which is quite the inconvenience...
For me, I sync by plugging my phone into the USB port and copying the .kdbx file over. I've never needed anything fancier, let alone had a reason to send my password database out over the internet.
Wow I see. Props to you... on my end it's so much of a hassle to find a cable and grab my phone and connect it to my computer every single time I update my password database.
