| ▲ | sneak 3 days ago | |||||||
I never copy and paste passwords. Any time you find yourself wanting to do that, alarm bells should be ringing. Password managers can’t help you if you don’t use them properly. Spotify steals (and presumably uploads) your clipboard, as well as other apps. Autofill is your primary defense against phishing, as you (and hopefully some others) learned this week. | ||||||||
| ▲ | johnisgood 3 days ago | parent | next [-] | |||||||
Do not give them permission to your clipboard. It is possible today. I copy and paste passwords and I clear the clipboard afterwards, and I do not use junk like Spotify, and were I to use Spotify, it would be through the browser, not the application. Were it the application, it would be firejailed to oblivion. It is possible to restrict clipboard access when running applications inside Firejail, i.e. Firejail allows you to restrict access to X11 and Wayland sockets, which prevents the sandboxed application from reading or writing to the system clipboard. See: "--x11=none", "--private=...", "--private-tmp", and so forth. You can run a GUI app with isolated clipboard via "firejail --x11=xvfb app". For Wayland, you should block access to the Wayland socket by adding "--blacklist=/run/user/*/wayland-*". I do not use autofill on desktop at all. I use it on Android, however. | ||||||||
| ▲ | jasode 3 days ago | parent | prev [-] | |||||||
>Autofill is your primary defense against phishing, The autofill feature is not 100% reliable for various reasons: (1) some companies use different domains that are legitimate but don't exactly match the url in the password manager. Troy Hunt, the security expert who runs https://haveibeenpwned.com/ got tricked because he knew autofill is often blank because of legit different domains[1]. His sophisticated knowledge and heuristics of how autofill is implemented -- actually worked against him. (2) autofill doesn't work because of technical bugs in the plugin, HTML elements detection, interaction/incompatibility with new browser versions, etc. It's a common complaint with all password plugins: https://www.google.com/search?q=1password+autofill+doesn%27t... https://www.1password.community/discussions/1password/1passw... https://github.com/bitwarden/clients/issues?q=is%3Aissue%20a... ... so in the meantime while the autofill is broken, people have to manually copy-paste the password! The real-world experience of flaky and glitchy autofill distorts the mental decision tree. Instead of, "hey, the password manager didn't autofill my username/password?!? What's going on--OH SHIT--I'm being phished!" ... it becomes "it didn't autofill in the password (again) so I assume the Rube-Goldberg contraption of pw manager browser plugin + browser version is broken again." Consider the irony of how password managers not being perfectly reliable causes sophisticated technical minds to become susceptible to social engineering. In other words, password managers inadvertently create a "Normalization of Deviance" : https://en.wikipedia.org/wiki/Normalization_of_deviance [1] >Thirdly, the thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain. -- from: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mail... | ||||||||
| ||||||||