Integration points increase the risk of compromise. For that reason, I never use the desktop browser extensions for my password manager. When password managers were starting to become popular there was one that had security issues with the browser integration so I decided to just avoid those entirely. On iOS, I'm more comfortable with the integration so I use it, but I'm wary of it.

We need cooldowns everywhere, by default. Development package managers, OS package managers, browser extensions. Even auto-updates in standalone apps should implement it. Give companies like Socket time to detect malicious updates. They're good at it, but it's pointless if everyone keeps downloading packages just minutes after they're published.

> What can I do to prevent it?

My two most precious digital possessions - my email and my Bitwarden account - are protected by a Yubikey that's always on my person (and another in another geographical location). I highly recommend such a setup, and it's not that much effort (I just keep my Yubikey with my house keys)

I got a bit scared reading the title, but I'm doing all I can to be reasonably secure without devolving into paranoia.

Use the desktop or web vault directly, don't use the browser plugin.

How to prevent it?

tl;dr

- https://cooldowns.dev

- https://depsguard.com

(disclaimer: I maintain the 2nd one, if I knew of the first, I wouldn't have released it, just didn't find something at that time, they do pretty much the same thing, mine in a bit of an overkill by using rust...)

You should use hunter2 as your password on all services.

That password cannot be cracked because it will always display as ** for anyone else.

My password is *****. See? It shows as asterisks so it's totally safe to share. Try it!

... Scnr •́ ‿ , •̀