> some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.
This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.
I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.
> I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager
This is my practice, but I take it a step further. My passwords are stored in a non-networked password manager on my phone, not on any other machine. So when I need to use a password, I can't copy/paste. I have to type it in by hand.
I want maximal disconnect between my password manager and anything that uses passwords. And I never use SSO stuff, because I don't want anybody involved in authentication aside from me and the thing I'm authenticating to.
Well, the alternatives you mention are all prone to keyloggers or similar.
If you take say OAuth/OIDC, the only thing the browser needs is the token. It doesn't have to be involved in the authentication at all really, it just needs a token it can send as part of the requests.
Of course this requires that the site uses OAuth/OIDC, but hopefully that's where things are headed.
I don't disagree.. but I stopped really using oauth when realizing that I could lose access to all those services if the whim of an algorithm closes my (oauth) account.
Right, but using OAuth doesn't mean using Google, Microsoft or Facebook for everything. It's common cause it's convenient, but has issues like you say.
Someone running a Discourse forum could very well run say Ory[1] to have their own OAuth2 authentication service, if they wanted. Hopefully things like this will get a bit tighter integrated than it currently is.
This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.
I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.