← Back to context

Comment by diggan

3 months ago

Or you know, get a password manager like the rest of us. If your password manager doesn't show the usual autofill, since the domain is different than it should, take a step back and validate everything before moving on.

Have the TOTP in the same/another password manager (after considering the tradeoffs) and that can also not be entered unless the domain is right :)

22 comments

diggan

Reply
SchemaLoad  3 months ago

I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished. I have to manually select the site to fill fairly often, especially inside apps where the password manager doesn't seem to match the app to the website password.

Passkeys seem like the best solution here where you physically can not fall for a phishing attack.

  • vaylian  3 months ago

    > I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished.

    This is how Troy Hunt got phished. He was already very tired after a long flight, but his internal alarm bells didn't ring loud enough, when the password manager didn't fill in the credentials. He was already used to autofill not always working.

    • junon  3 months ago

      This is why I haven't bothered with them (the browser extensions; I have used password managers for years and years) and thus why they weren't there to protect against the attack.

  • diggan  3 months ago

    > I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished

    I dunno, it mostly seems to not work when companies change their field names/IDs, or just 3rd party authentication, then you need to manually add domains. Otherwise my password manager (1Password) works everywhere where I have an account, except my previous bank which was stuck in the 90s and disallowed pasting the passwords. If you find that your password manager doesn't work with most websites (since it's "extremely common") you might want to look into a different one, even Firefox+Linux combo works extremely well with 1Password. Not affiliated, just a happy years+ user.

    > Passkeys seem like the best solution here where you physically can not fall for a phishing attack.

    Yeah, I've looked into Passkeys but without any migration strategy or import/export support (WIP last time I looked into it), it's not really an alternative just yet, at least for me personally. I have to be 100% sure I can move things when the time ultimately comes for that.

    • mdaniel  3 months ago

      I'm glad you've had such good experience with autofill consistently working for you. My experience has been closer to that of the sibling comments: 60/40 so I often just give up and copy-paste. I actually did try jettisoning 1Password for Proton Pass but that was even worse, so I went back

      > without any migration strategy or import/export support

      Since you're already a 1Password user, I wanted to draw your attention to the "Show debugging tools" in the "Settings > Advanced" section. From that point, you can say "Copy Item JSON" and it will give you the details you would want for rescuing the Passkey. Importing it into something else is its own journey that I can't help with

        {
    "overview": {
      "passkey": {
        "credentialId": "...",
        "rpId": "example.com",
        "userHandle": "..."
      },
    ...
    "details": {
      "passkey": {
        "type": "webauthn",
        "createdAt": 175.......,
        "privateKey": "eyJ...",
        "userHandle": "..."
      }

      I would guess their "op" CLI would allow similar, but I don't have the magic incantation to offer, whereas that Copy JSON is painless

    • kngspook  3 months ago

      My understand is the people behind passkeys are working on an import/export solution. Who knows when it'll happen though.

      For now, when companies let me have multiple passkeys, that's sufficient for me. I put one on my Apple Keychain and one in 1Password.

cataflam  3 months ago

I mostly agree and I do use one.

You only need read the whole thread however to see reasons why this would sometimes not be enough: sometimes the password manager does not auto-fill, so the user can think it's one of those cases, or they're on mobile and they don't have the extension there, or...

As a matter of fact, he does use one, that didn't save him, see: https://news.ycombinator.com/item?id=45175125

  • eviks  3 months ago

    > sometimes the password manager does not auto-fill

    So pick one that does? That's like its top 2 feature

    > he does use one

    He doesn't since he has no autofill installed, so loses the key security+ convenience benefit of automatch

    • acdha  3 months ago

      > So pick one that does? That's like its top 2 feature

      Still doesn’t work 100% of the time, because half of the companies on earth demote their developer time to breaking 1995-level forms. That’s why every popular password manager has a way to fill passwords for other domains, why people learn to use that feature, and why phishers have learned to convince people to use that feature.

      WebAuthn prevents phishing. Password managers reduce it. This is the difference between being bulletproof like Superman or a guy in a vest.

      8 replies →

    • y1n0  3 months ago

      He didn't say it didn't have the autofill feature, he said sometimes it doesn't work. I've experienced this pretty routinely with two different managers.

      1 reply →

FooBarWidget  3 months ago

I wish it's that easy. 1Password autofill on Android Chrome broke for me a month ago. Installed all updates, checked settings, still nothing. Back to phishing prone copy paste.