iSECPartners password manager survey
The survey is located here.
https://www.isecpartners.com/research/white-papers/browser-extension-password-managers.aspx
1Password seems to have the least issues but they still point out some. (although they tested an old version of extension 3.9.19)
— automatic updates in an insecure manner by reaching out to an un-protected endpoint: http://updates.agilebits.com....
— ignored subdomains when comparing origins. That means that a login form encountered on https://forum.example.com will still be treated as equivalent to a login form encounteredonhttps://example.com/log_in—violatingthesame-originpolicy.
— None of the examined password managers appear to verify the login page for a remembered password on a given domain. For example, although Vimeo’s login page is hosted at https://vimeo.com/log_in, all of the examined password managers will detect login forms anywhere on the https://vimeo.com/ domain.
Would like to hear from the devs what do they think about it and if they're going to fix the issues that are (if any) still relevant.