A browser-integrated password manager is only phishing-proof if it's 100% reliable. If it ever fails to detect a credential field, it trains users that they sometimes need to work around this problem by copy-pasting the credential from the password manager UI, and then phishers can exploit that. AFAIK all existing password manager extensions have this problem, as do all browsers' native password-management features.

▲

xboxnolifes 4 days ago | parent [-]

It doesnt need to be 100% reliable, just reliable enough.

If certain websites fail to be detected, thats a security issue on those specific websites, as I'll learn which ones tend to fail.

If they rarely fail to detect in general, its infrequent enough to be diligent in those specific cases. In my experience with password managers, they rarely fail to detect fields. If anything, they over detect fields.

	▲	ameliaquining 3 days ago \| parent [-]
		I think this security model requires nontechnical users to be paying more consistent attention than is realistically safe to rely on.