This is why I still go to the trouble of PGP encrypting a file with my passwords, rather than relying on a password manager. I keep wanting to switch, but damn it, I just can't bring myself to have that much trust in them.
Edit: Thanks for the informative replies, the links, and the advice. I'm going to explore all of my options and re-think this.
1) I'm not sure how well using a PGP encrypted file would fare in this sort of analysis. I suppose it depends heavily on the details on how it is done.
2) The analysis was done for Android applications, I suspect that on desktop the situation is generally bit better. I doubt you are doing PGP encrypted files on Android..
3) KeePass is notably absent from the list. I suppose its presence on Android might be bit smaller than on desktops, but considering how well-known it generally is I find the omission bit surprising.
4) Continuing with KeePass, afaik it has been fairly thoroughly scrutinized and the findings I've heard of have left a positive impression
You may want to look at pass, which is pretty lightweight scripting around gpg to store passwords in multiple files. Some tradeoffs required, but works well and fully auditable
Pass¹ is very nice, and you can even share a part of your password library with someone else by using their GPG public key (encrypting just those files with both your keys) and sharing the shared directory via some sharing utility such as SyncThing².
Pass also supports using git for change management.
Because with git you have to explicitly push. Both have their valid uses; I use the git solution for a devops password database shared with a small number of colleagues. I use SyncThing to share a common subdirectory of a private password database with my partner.
SyncThing has the benefit of transparently handling the synchronisation behind the scenes for me. Whenever I place something in pass in the 'shared' subdirectory, it will end up in her database as well as soon as both our devices are online.
How do you get to the unencrypted data? Do you decrypt to a plain text file? Launch it into Notepad or vi? How do you deal with the temp files the editors create? Do you clear the clipboard after copy and paste the passwords?
I have a GPG file in Emacs, too. Just want to see what flow people use to deal with encrypted passwords.
I used to do something similar, but a local password management solution like KeePassX is much easier/more convenient and can be configured to function similarly. It can be used without a browser extension and obviously, it doesn't require the user to upload anything to anyone's cloud.
One more thing about Password Store: You can integrated it with a NFC-equipped Yubikey on Android so you don't just have a GPG key floating around. It took a little while to set up, as I was a Yubikey newbie at the time, but it works really well for me now.
Edit: Thanks for the informative replies, the links, and the advice. I'm going to explore all of my options and re-think this.