If someone does a man-in-the-middle attack on a clueless user, the user may accept an invalid certificate for your site because they are rushing through to go get one of their passwords. Offline password managers are better at mitigating the non-security-minded user problem.