| ▲ | anticristi 4 days ago | ||||||||||||||||
This is really scary. It could have totally happened to me too. How can we design security which works even when people are tired or stressed? Once upon a time, I used a software called passwordmaker. Essentially, it computed a password like hash(domain+username+master password). Genius idea, but it was a nightmare to use. Why? Because amazon.se and amazon.com share the same username/password database. Similarly, the "domain" for Amazon's app was "com.amazon.something". Perhaps it's time for browser vendors to strongly bind credentials to the domain, the whole domain and nothing but the domain, so help me Codd. | |||||||||||||||||
| ▲ | samhh 4 days ago | parent [-] | ||||||||||||||||
Passkeys already solve for this, we just have to get past the FUD. | |||||||||||||||||
| |||||||||||||||||