I store all of my passwords in firefox’s built-in password manager. They auto-fill into websites, sync to my phone, notify me if one appears publicly, and I can generate strong new passwords conveniently. The pw vault is stored encrypted in the cloud as far as I know, but I don’t really know the technical details. I presume that it’s just as secure as using a “proper” manager.
Is there a problem with not using a dedicated password manager? I used to use LastPass but then… I stopped. And at the time I didn’t see anything wrong with just sticking with FF.
Using Firefox is fine right? If so, what’s the benefit of something like BitWarden/etc over the built-in one?
Accessing every password would require a breach of the browser or the extension, right? Because the extension will only fill passwordds with a matching URL, so with the browser must be compromised to provide the wrong URL, or the extension compromised to accept a wrong URL? I am not sure how separating the extension and the manager helps with this?
To get every password, you’d have to exploit the password manager process itself. The manager asks you to approve every single password it hands out and you would know something is wrong if the extension starts asking for lots of passwords.
The separation keeps the memory where the passwords are stored away from the browser. No malicious code executing inside the browser can access it. Also, the protocol between the extension and the manager can be really simple and (hopefully) easy to get right without making exploitable mistakes.
It’s the Swiss cheese principle. The attacker has to break out of the website sandbox, get into the extension to copy the secret keys that are needed to impersonate the extension in the connection to the password manager, and exploit the password manager through that connection in order to get to the passwords. If any step fails (the holes in the cheese slices don’t align), the attack doesn’t get through.