I use Bitwarden, and to my knowledge the issue raised in this article does not apply to it -- all interaction is through the extension's icon, with no UI elements injected into the page itself.
Combined with being completely open-source (including backend), full-featured even in the free version, and $10/year pro version (with features like sharing, encrypted storage, etc.), I can recommend it to practically anyone.
BW has had other issues before. For example, it tends to send your credentials with basic auth requests without your knowledge and without a setting to turn it off. The code executed in your browser can also be manipulated to exfiltrate your entire password store once you unlock it if someone gains access to whatever account Bitwarden uses to publish their addon.
Bitwarden is certainly one of the better password managers in my book (seriously, some of its competitors don't even let you add arbitrary fields to credentials!) and has proven to be reasonably secure. However, you cannot ignore the vulnerability the browser extension model or any auto-update model might bring to something as sensitive as a password manager.
I'm using it myself in combination with a self-hosted bitwarden-rs instance (used to run the native version but its performance was just terrible) and I can't say I regret the decision.
I do wish that browser would expose an autofill API to password managers, though, so addons wouldn't need to inject Javascript or do other funky stuff to get passwords filled in.
> BW has had other issues before. For example, it tends to send your credentials with basic auth requests without your knowledge and without a setting to turn it off.
This isn't true - I use BW and annoyingly it doesn't work with Basic Auth at all. This is because I have disabled auto-fill.
Ah, it looks like they've fixed that bug, then. It used to be that regardless of your autofill setting, basic auth would be presented; this was because the browser API requires basic auth to be non-interactive and an arbitrary decision has to be made.
From what I can see, this issue was till being reported in April[0] but perhaps it's been patched in the mean time. The devs were been going back and forth about this so long that I stopped paying attention to the issue after a while.
I use Bitwarden too, and I self-host it so that vector of attack becomes much smaller. But while Bitwarden doesn't add elements to the page it does alter existing page elements by auto-filling your credentials. If I get it properly the gist of the article is the ability to spoof the fields that receive those credentials.
Copying out of Bitwarden and pasting into the visible fields would get around that instead of using its auto-fill.
The problem is currently that from an UI POV using the icon to complete is a bit annoying, would probably better if a floating complete icon would be added to the fields when a site is recognized. And that should solve the problem, no?
No, because adding the floating icon requires injecting code on the page to create the icon. So then the page has a way to interfere with your password manager's UI. That is the problem with the content script approach.
Although if the browser provided a specific mechanism for extensions to create floating icons that couldn't be altered by the page (and you make sure to account for hidden fields and other clickjacking techniques), then that might work.
bitwarden has a right-click context menu, which allows you to fill, or copy username/password. This is easier than the icon, and it doesn't require enabling the autofill feature.
Combined with being completely open-source (including backend), full-featured even in the free version, and $10/year pro version (with features like sharing, encrypted storage, etc.), I can recommend it to practically anyone.