This post by Tavis Ormandy about password managers and how they integrate with browsers has been sat in my reading list for a while, mainly because I wasn’t sure how I felt about it.
Yes, I understand what he’s saying about the way most password manager apps are hooking into desktop browsers, and how that could be subverted. But then I look at how things work on iOS (and Android) where it’s done at the input level. If there a fault here, I’d say it was with the browser makers rather than the password manager makers.
And while built-in password managers are pretty good nowadays, you’re only skirting around the weak points at the UI level. And if you’re using different browsers on different devices, then you’re stuck unless you use a third-party password manager to store that data for you.