Neither is necessary. Secure password managers should directly set the value attribute on the text fields (the password manager has direct access to the page's DOM), and then they should use a DispatchEvent to notify the page that the field has changed.
Websites, applications, and login forms should handle those generic events rather than listening specifically to keydown events.
There's really no need to simulate typing or to touch the clipboard if you're using a browser extension; and while I haven't checked, I'd honestly be kind of surprised if any of the major password manager extensions are doing so.
Of course, if for some reason the user decides to copy and paste their password, then a change event should also be handled, not just a keydown event.
Keepassxc has an auto-type command that does type in the username/password into your "last viewed window". This is for cases when you don't have a browser extension or want to put in a password into the terminal, or some electron app.
That's a good point, although I would argue that's not what most users are going to run into, and I would note that properly handling a `DispatchEvent` and listening for changes will also properly handle KeepassXC's situation.
My main point is that it's not a security issue that browser extensions don't simulate a keyboard. I'll grant that some applications need to simulate a keyboard because they don't have any access to the page or application, and yeah, they have a good reason for what they're doing, but it's a rare situation.
And it is technically generally not ideal for a password manager to be doing that for websites; it does tend to make the user more vulnerable to phishing attacks. But it's fine, I see the use-case, I don't think KeepassXC is wrong to include that feature or that users are wrong to use it.
It just shouldn't be impacting how login forms are designed or what events they listen to. The users who are complaining above about login forms not listening to the correct events are most likely not being insecure and are most likely not using a clipboard when they fill in their passwords, and if the password managers they're using within their browser swapped from DOM manipulation over to simulating a keyboard, that would make those password managers less secure. Simulating a keyboard is something a secure password manager should mostly avoid unless for some reason it doesn't have access to the DOM.
Websites, applications, and login forms should handle those generic events rather than listening specifically to keydown events.
There's really no need to simulate typing or to touch the clipboard if you're using a browser extension; and while I haven't checked, I'd honestly be kind of surprised if any of the major password manager extensions are doing so.
Of course, if for some reason the user decides to copy and paste their password, then a change event should also be handled, not just a keydown event.