Since their inception in the 1990s, web browsers have been packed full of useful features like bookmarks, tabs, granular cookie control, and so much more. It’s no surprise, then, that most browsers now include the ability to store your passwords and to manually or automatically insert them into website login pages. Talk about convenience.
Don’t do it.
The browser makers mean well. However, when a single program accepts untrusted input from the Internet and that same program has access to sensitive login credentials, one can imagine that it would be possible to craft malware that can reach across and pluck out those credentials at will, possibly without the user’s knowledge.
A browser that stores passwords is vulnerable to attack. First, passwords are often stored in plaintext (see this article and also this article, and here is a useful article from the University of Minnesota that instructs users on how to retrieve stored passwords). Malware that has access to your computer’s file system may be designed to look for, and retrieve, these stored passwords.
Also, you should be aware of autofill attacks that trick browsers into pasting in sensitive information on hidden variables in otherwise-innocent looking forms. One day, such an attack may be able to trick a browser into auto-filling login credentials into hidden fields without your awareness or consent.
As long as we use login-and-password to log in to websites, you need to be the air gap between your stored credentials and your browser.