The problem with in-browser password management is that the attacker does not need to escape the browser. Code injection (via XSS or a browser exploit) into a running extension is likely easier than defeating the seccomp-IPC implementation or the AppArmor/SELinux profiles which protect the system. Addons like LastPass are mainly concerned with remote server weaknesses, but nothing will protect the browser from itself.

Another opinion: It's weird loading a browser+environment for non-browser passwords (SSH, HTTP/WebDAV, etc), and it's equally weird managing the passwords separately.

I have the LastPass plugin installed in Firefox, which I use 95% of the time. I also have the mobile app installed on my iPhone.

Why the switch? Recent revelations WRT NSA & the iPhone, recent reports of other plugin developers selling their plugins to shady actors, and my general belief that the most sensitive credentials I have are safer on machines under my control instead of "in the cloud".

I work for an ISP and also manage systems and networks for schools, government organizations, health care facilities, investment firms, law offices, you name it. If someone were to gain access to all of my stored credentials, they could do a LOT of damage -- to myself as well as many, many others.

While I have no reason to believe that there's anything wrong with LastPass (from a security point of view), I am certain that the level of risk is lower with, i.e., KeePassX.