Having auto-fill may be rather dangerous even if your password manager extension has no bugs whatsoever. I would not recommend this configuration.
Having one touch form fill for credentials is good enough. It adds one touch to every intended login, but deletes the risk of credentials being captured when you weren't actually even trying to log in.
Regarding auto-fill, I second this. Password managers are great, but I would go so far as to advise against using password manager browser extensions entirely. You're adding several more vectors to be compromised, and imo the risk is not worth it.
Navigate to the site, open the password manager, copy and paste the username and password into their respective fields. Yes, it's less convenient, but as we know convenience is the bane of security.
With authorization we have a few things available to us - something you know, something you have, something you are. To remain secure you will always use at least two of these when authorizing with a service.
The login information for my password manager is stored in my brain - something I know. The 2FA code I enter from my phone is gathered from not only something I have (my phone), but must be authenticated to with something I am (my face (although they could probably just brute force my pin)). I take it a step further by storing the 2FA codes for my most valued accounts on a completely separate device that I leave at home. /protip
> Navigate to the site, open the password manager, copy and paste the username and password into their respective fields.
This leaves you vulnerable to (at least) two attacks:
1) Phishing. The password manager extension will refuse to send the password to the wrong site; it can't be fooled when tired the same way you can be fooled when tired.
2) The password stays around in your clipboard. There's a general risk of accidentally pasting it (e.g. to the next site you log into). There's a specific risk of sites that capture activity on unsubmitted form fields, which is becoming way too common.
You should decide for yourself how you weigh these risks, but I'm a pretty paranoid person (e.g., I have a Chromebook in a corner of my room which I use as an SSH / web client for certain high-security sites like my domain registration and maintaining certain servers) and my conclusion is that the risk of phishing and mispastes is high and the risk of my particular password manager extension having serious bugs is much lower.
> Yes, it's less convenient, but as we know convenience is the bane of security.
I'll be honest, I don't know that. Security keys are more convenient than SMS-based 2FA, and significantly more secure. Signal is more convenient than PGP, and (depending on threat model) more secure in real-world use. Doing string processing in Python is way more convenient than doing it in C, and way more secure.
"It's annoying, therefore it must be secure" is a fallacy. Sure, there's some correlation, but it's not a perfect correlation.
Yeah, Security Keys definitely illustrate that "more convenient" isn't "less secure". Signing in with a Security Key is so painless, it's just a shame I can't do it in more places.
Use the clipboard as interprocess communications for secrets does seem dangerous. The 'pass' password manager I use has an option to do that if you want that, but I've rarely used it. However it may be less dangerous than you realise - by default pass will destroy clipboard items it added after 45 seconds. This is easy on X and, as far as I know, any modern graphical desktop, because the "clipboard" isn't (usually) really a static buffer, it's a live negotiated relationship between desktop clients, so "pasting" is an operation in which the copying software is itself actively involved, so if it were to crash, the content is gone, not left on the clipboard.
Having one touch form fill for credentials is good enough. It adds one touch to every intended login, but deletes the risk of credentials being captured when you weren't actually even trying to log in.