Totally agree with you on the convenience factor. Still doesn't mean I'm going to use a browser extension to securely manage my passwords. Or something proprietary. And lets me decide how and where to store/sync the encrypted blob of my password DB.
So I use KeepassX for Linux (and Keepass2Android on my mobile), which I frankly don't understand why it's not recommended way more often. It's open source, doesn't have those problems, nor does it have a company--ego--attached to it that has incentives to downplay security-issues to save face/profit. Ego is a potential attack surface.
Every time the password-manager discussion comes up, I scan the thread and check what possibly problems any of them have. And all of the other ones have at least some of those issues that I care about, even if only that the encrypted blob is stored somewhere out of your control. Except for KeepassX, for which the only "serious" downside I've read is that some big security names on Twitter seem to really dislike the GUI for some reason. Which is a fine opinion, but not one where I'd consider their expertise to hold much value over anyone else's (and personally, I disagree with).
> Here's another question to ask: "Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?"
Okay, so here's how I use KeepassX for Linux:
The application is small and lightweight and therefore already open (but locked) as an icon in my systray. I have to unlock the vault due to timeout[0]. To find the entry, type a few characters in the search box, or select it from the appropriate category/folder, I put the few ones I use most in the default/top folder for even quicker access. Then I right-click the entry and select "perform autotype". Done.
"Perform autotype" seems to basically send a bunch of keyboard events: <alt-tab>, [username], <tab>, [password], <enter>. This sequence works every login form I use. There's probably exceptions, but iirc you can configure the autotype sequence. Otherwise for that one login form that is weird and annoying you can always right-click and use "copy username/password to clipboard" (which is auto cleared after X seconds). Finally if the login form won't let you autotype AND doesn't let you paste, it becomes even easier: right-click, "delete entry" and never use that service again because COME ON, really.
edit to add: the Android app, Keepass2Android is slightly more cumbersome to use, but that's mainly because I find touch screen typing my master password a bit of a pain. After that it's actually easier, when you selected the entry, you select Keepass2Android as keyboard app, which only has these buttons: [User], [Pass], [Next field], [Submit]. At entering the master password there's also a checkbox "allow quick unlock", which allows you to unlock using only the last 3 chars of your master password (for duration of a second, longer+configurable, timeout).
[0] Do other password managers get around this? I really don't see how, without getting the same exposure as I would get by disabling the timeout in KeepassX?
