Passwords are per file. Grabbing a password by a Yubikey touch doesn’t expose other passwords. Per password sandboxing. With keepass, you open the vault most of the time to expose a less important password, and the entire vault is at risk.
Beyond Pass, you should be careful with the browser extensions (and browser in general ). There are a lot of them, never audited.
> Grabbing a password by a Yubikey touch doesn’t expose other passwords. Per password sandboxing. With keepass, you open the vault most of the time to expose a less important password, and the entire vault is at risk.
The entire vault is at risk only if the attacker has a zero-day in the browser extension, or already has local code execution.
In your threat model, which is more likely:
1. you get sent a phishing link and click on it, and then copy+paste into a password field
2. An attacker compromises your browser extension with a zero-day
3. An attacker manages to get local privileges on your computer, is competent enough to exfiltrate your keepassxc database from memory after you unlock it with your hardware token, but is not competent enough to exfiltrate your 'password-store' passwords, or browser session cookies, or whatever
Passwords are per file. Grabbing a password by a Yubikey touch doesn’t expose other passwords. Per password sandboxing. With keepass, you open the vault most of the time to expose a less important password, and the entire vault is at risk.
Beyond Pass, you should be careful with the browser extensions (and browser in general ). There are a lot of them, never audited.