I had cause to think about remote Password Managers last week. My conclusions and notes.
- They are an attractive target, and if on the internet easy to reach
- They lengthen the code paths and thus increase the attack surface.
- They provide little defence against operating system & browser vulnerabilities and zero defence against social engineering or court ordered remediation.
- They ease the use of complex and strong passwords; they can through indirection ensure that real keys are not known (and thus contradict my statement that they cannot protect against social engineering attacks).