Ok, shall I represent the heathans then?
I use an online one (LastPass), and do trust it because I listened to an (independant) podcast about how it works.
The password store is encrypted on device (e.g. in the browser) with your password, which they don’t store. If their servers get hacked, the hackers would have to brute force your password which is hashed with bcrypt (a very slow algorithm, no matter the CPU power). So if you have a half decent password it would take centuries to break into.
I am trusting that LastPass don’t deliberatly take my password from the plugin, but providing this service is their reason for existing, so doing that would be suicide.
On the downside researchers like Tavis Ormandy have found issues.
On the upside, researchers like Tavis Ormandy have found issues and they have been fixed.
I have about 700 accounts in there, I cannot be arsed managing all that crap. I have 2 factor on the important ones (and not using Lastpass’s app), so there is some independance there as well.