Comment by weird-eye-issue
1 day ago
This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match
1 day ago
This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match
That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!
I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.
Oh I've never seen anything like that. But it would still help because my password manager pops up matching logins so you could just open that manually and then copy paste parts of it or type it in.
Definitely. If bitwarden does not shows a little "1" icon I'm basically lolnope'ing out.
Still, it pains me to see that practices from the early keylogger era are still "good practices".
Had a similar UK bank experience. Without knowing it would be used for that, I had created a password that had digits. So "What's the 4th character" would be something like "6," "What's the 6th digit" would be "2," like an Abbott and Costello routine.
How can they even do that without storing plaintext passwords?
It's a bank, and a rather old at that. I fully expect them to store the password in cleartext. (hence the security theatre qualification)
Banks are notorious for taking security as a strict cost/savings measure. I would not be surprised if they enforce weak passwords stored in cleartext on purpose to save on support agents for the people that forget/lose their password. Imagine the customer service reviews: "they were able to find my password back, 5/5". Probably enough savings to offset the cost of refunding people that got their account pwnd. Cost of doing business.
Unfortunately it's not uncommon to find legitimate websites that break autofill in some ways. And the more such websites a user encounters, the more likely he will just mindlessly paste his password into a phishing site as he has learned to do for real ones.
Passkeys solve this problem but has its own usability issues.
My password manager will warn me if I manually copy a password out of it and then try to paste it in a domain that does not match
I use keepass (FOSS under GPL, fully offline).
It does not detect domains.
The autotyper can with a little bit of finangling. Every browser has a 'url in title bar' extension avaialble and then you can use that for your autotype matching. If you do not like to use extensions, changing a page's title is a trivial bookmarklet or userscript to make I would think.
Maybe use a better one or the browser extension like other commenters are saying?
KeepassXC browser integration will do that.
you can have it be offline and still a browser extension (when i used keepassxc it could to that)
"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."
Meanwhile U2F/Passkeys can't possibly be abused like this.
Yeah but the downsides of passkeys make them so much worse anyway.
Passkeys are great. Store them in your password manager and what downsides are you referring to
Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!
9 replies →
Well mine pops up a big warning if you try pasting when the domain doesn't match it so at least it would force you to take a second look. Also all the real world services that I use half past keys as 2fa which I also store in the password manager
Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.
Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.