Last week I posted about reviewing passwords and mentioned using a password manager as part of that effort. DaniSQL noted in a comment a whitepaper about some browser vulnerabilities that can impact password managers – http://isecpartners.github.io/whitepapers/passwords/2013/11/05/Browser-Extension-Password-Managers.html. It’s a quick read and as always when we talk about security it often seems like can nothing be easy? A big point in the paper in that autofill can work against you – hidden fields on the page for example. Independent passwords per site helps reduce the pain if you get hacked and so would two factor authentication, but that isn’t the same as not getting hacked. Autofill is a huge convenience though. The manager I use allows me to set that option per site, so I’ll try to only use it where either the possible pain is almost nothing or I’m trusting the site to get it right every time (my bank?).
Knowing the risks is good. I still think the pros of a password manager used responsibly far outweigh the risks.