Max browser security levels and a good ad-blocker will not prevent you from getting phished or hacked more than an encryption-audited cloud-based zero-knowledge vault, where server compromise is irrelevant. All competent #1 cloud-based password managers are like that.
> All competent #1 cloud-based password managers are like that.
If you say so...
Sadly there could potentially also be a supply chain attack that happens to make its way into the client you use to view your supposedly secure vault. Odds are they use npm, btw.
Phish resistant MFA is worth mentioning. You and all your staff with access to critical credentials should have something like YubiKeys, so you can't (as easily) get tricked into entering some TOTP (or email/sms) code into a fraudulent website.
At least that ups the threshold to "someone who can not only poison your dns or MITM your network, but can also generate trusted TLS certs for the website domain they're phishing for".
And SMS should be retired completely for authentication, not simply deprecated as NIST did in SP 800-63B with companies like banks assuming full liability for losses to others if they continue with this unacceptably insecure mechanism.
"The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction."
