This is false in some scenarios. Dumping browser credential vaults as well as extracting from active memory have both become de facto standard post-exploitation behaviors.
It's all a question of your threat model. The biggest threats I see for most users are:
1. Password reuse, where a relatively unimportant account (shopping site) getting cracked gives the attacker the same password you used for a critical account (email).
2. Phishing, where you enter your password on a fake login page.
3. Lost device, where someone finding it can easily impersonate you on any site you're logged into.
A password manager handles (1), and if it auto-fills reliably on websites (as Chrome's does) that handles (2) as well. For (3) you want disk encryption, which is now standard on phones and is an easy option on laptops as well.
After these, my next concern would be compromise of the cloud-based password backups. Here is where your parent's comment on Google's security is relevant: Google (disclosure: I used to work there) has an excellent security team and there are few companies I would trust more to keep cloud vaults secure.
The attacks your links are talking about start by assuming someone has full access to your computer. While putting some bumps in their way at this point is nice, I guess, there's nothing stopping them from keylogging their way past any password manager you choose.
The threat model where someone is able to run malware on your machine, but not run a keylogger to grab your master key for your password manager seems sorta absurd.
Yes, if someone installs malware on your machine (in your user account), they can grab the Chrome password vault. But in that case, 99% of the time they will be grabbing the password vault of other providers as well.
Also, note that the Chrome password vault is encrypted on disk.
what worries me about this, is googles history of happily nuking your google account when you do something as simple and legal as a chargeback.
you wont just lose your email and bookmarks but all your passwords...
Also its a much bigger surface area target, and the auto syncing to new machines you sign into is a concern. I dont want passwords to be "accidentally synced" to any machine my family signs into. I want them to knowingly sync their passwords to them. be MINDFUL of what they're doing.
no thank you.
As the default administrator/CTO of the family I'd rather suggest bitwarden and safer practices.
Unsure, but it's incredibly stupid about certain passwords. 2 examples I've seen.
I use a portal for work, and enabled MFA. Every time I put my MFA PIN in, it tries to replace the stored password. If I let it, accidentally, there is no history of the old password.
2nd example. When I was looking for a job, lots of companies seem to use a similar job/HR portal (workday) that has some variant of portal.company.com. Chrome things these are all the same, so to store the passwords; I have to replace the old one, which loses it and again there is no history...
