Whatever your personal thoughts on software, cloud, or excellent passwords …
go online, google the following search terms [ Schneier snake oil ], and read the article publiched by Bruce Schneier a number of years ago. Then wait a little, think a little … don’t fall for snake oil, not the free and not the commercial varieties. Good luck !
Yes; I am familiar with Bruce Schneier; I read his famous crypto book, Edition 1 with all the typos 
Actually I wonder what exactly is wrong with storing passwords in Chrome. This explains the process used; it is as secure as your computer (OS) login. IOW, if somebody gets physical access to your computer, or hacks it in some way, sufficient to capture your OS login, he gets all your passwords. But if somebody has that level of access, he can install software to capture the master password used by any “password manager”… Google explain here why they do it the way they do it.
So yes it seems that the 3rd party password managers are all basically snake oil – unless you can guarantee physical security of the device, and if you can do that, you don’t need them anyway
2FA (e.g. sending a text message to you to confirm something) is all the rage these days, is a huge hassle if you live in the ~90% of the UK’s surface area (known as “the countryside”) where there is negligible GSM signal, and is no good if used on the device used to receive the SMS (i.e. your phone).
Exactly the same discussions can be had for passwords versus certificates, AFAICT.
SMS 2-factor is rapidly losing its advantages. A third party code generator like Authy is much safer. Unfortunately Microsoft doesn’t support these.
Peter wrote:
2FA (e.g. sending a text message to you to confirm something) is all the rage these days, is a huge hassle if you live in the ~90% of the UK’s surface area (known as “the countryside”) where there is negligible GSM signal, and is no good if used on the device used to receive the SMS (i.e. your phone).
Peter,
2FA mean you need a second factor, not necesserily SMS. Some companies use the unique code generation (FOB or app) and this works anywhere.
Peter wrote:
But if somebody has that level of access, he can install software to capture the master password used by any “password manager”
But it’s very rare for that to happen.
What usually happens is people use the same password for all the services and websites they use (including financially sensitive ones). Then one of these thirty or forty sites that you’re signed up to using your email address and the password you use everywhere gets hacked, and like many sites that gets hacked either uses extremely weak hashing functions on the stored passwords, or worse still, stores them in plain text. Then the bad guys get access to your other accounts that way.
Even having a different password written on a Post-It for each site is better than re-using passwords across multiple sites.
Looking at the Authy website, I cannot see what it does that’s special. So clearly it must be really good
AFAICT stealing SMS is not at all easy unless the user is using their SMS device (their phone) for the banking or whatever, doesn’t have a lock on it, and loses it 
The code fobs are good; for sure. Tamper-proof physical devices (smart cards, etc) have been leaders in security for many years. ~25 years ago I designed an ASIC for a Siemens 44C200 smartcard version of this. But they are a hassle. When you go on holiday, you have to bring them with you, and they are easy to lose, and then don’t know if it was theft.
Peter wrote:
So yes it seems that the 3rd party password managers are all basically snake oil
That’s not what I meant to say. There are certainly good password managers out there that are worth a look. It just requires you to do your homework, study what you get, understand what they say (and what they don’t). If you have an overall personal security concept (please ask if you want to know more) that implements a balance in risk and versus time/cost on various levels, then a good password manager will fit into this concept and do the job. Can your TB20 fulfill all needs of personal transportation ? Of course not. But it’s useful anyway ;)
There is nothing wrong with storing passwords in Chrome. But I doubt that you will ever find any independently reviewed details about the Chrome password manager. In other words you have only two options: you do trust Google blindly, laugh at gag orders and co., OR you limit its use to passwords that are less than vital to you, and keep the really important ones elsewhere.
Any look at well known attack vectors means there will always be a fundamental problem with any “password manager” – unless you get one which
Very few people have the capability to do the last two steps. You would need to be an expert programmer (definitely an expert, for what will be a very nontrivial windows app) and have an installed copy of M$ Visual C++ or whatever.
For the rest of us, the best you can achieve is to download the executable from the same open source depository, but there is a vulnerability there, via somebody hacking that server.
This problem exists because any “password manager” sees all your passwords, so is a perfect trojan for ripping you off.
I looked for 1password v4 and while one can find the windows executable on their website, all android etc (.apk) files are on suspect websites.
So, at a very fundamental level, I can’t see how the Chrome password manager is definitely less secure than any other. Also consider how deep in s**t Google would be if somebody hacked their system and got the passwords of a billion people, hence I bet they don’t store the passwords on their systems, in any form which a hacker could make use of. That link I posted tells how they do it; they encrypt it using a windows API, using your OS login password.
And nowadays there is always 2FA for creating new payees in online banking. This is why banking fraud has moved to areas like hacking a vendor’s email account and faking an email from them, giving “new bank details” and this one is really really hard to avoid; having lost 2k last year we implemented various procedures and not all our customers are totally keen on them…
You are mostly right, let me just add a few hints, using your input
Peter wrote:
This problem exists because any “password manager” sees all your passwords,
Use more than one app, it spreads the risk.
Peter wrote:
I looked for 1password v4 and while one can find the windows executable on their website, all android etc (.apk) files are on suspect websites.
Take a look at Keepass (original, not clones), it address many problems we addressed.
Peter wrote:
So, at a very fundamental level, I can’t see how the Chrome password manager is definitely less secure than any other.
They are subject to backdoor requests and gag-orders, and code is proprietary. Nobody would ever know that your privacy has been breached, so no loss of reputation. I would use them for basic website passwords (weather, etc.), not for my email account.
Peter wrote:
always 2FA for creating new payees in online banking. This is why
2FA does NOT provide much extra security, may be it provides no extra security at all. But it does provide a good excuse for the bank in case sth goes wrong and the bank doesn’t want to cover the losses.
Peter wrote:
That link I posted tells how they do it; they encrypt it using a windows API, using your OS login password
That’s got to be out of date because passwords stored in Chrome work across Chrome installations and operating systems. If you save a Chrome password on Windows, you can instantly use it on the machine next to it that’s running Debian 10 or MacOS X – and even Chromium on the Raspberry Pi.
