Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jasode 5 days ago

> In hindsight, the fact that his browser did not auto-complete the login should have been a red flag.

>A huge red flag.

It won't be a red flag for people who often see auto-complete not working for legitimate websites. The usual cause is legitimate websites not working instead of actual phishing attempts.

This unintended behavior of password managers changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected. It inadvertently trains sophisticated people to lower their guard. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643

>So are there mobile password managers that don't even check the URL? I dunno how that works...

Strongbox pw manager on iOS by default doesn't autofill. You have to go settings to specifically enable that feature. If you don't, it's copy&paste.

cosmic_cheese 5 days ago | parent | next [-]

Even standard autofill (as in that built into Safari, Firefox, Chrome etc) gets tripped up on 100% legit sites shockingly often. Usually the cause is the site being botched, with mislabeled fields or some unnecessarily convoluted form design that otherwise prevents autofill from doing its thing.

Please people, build your login forms correctly! It’s not rocket science.

diggan 5 days ago | parent | prev | next [-]

> It won't be a red flag for people who often see auto-complete not working for legitimate websites. The usual cause is legitimate websites not working instead of actual phishing attempts.

Yeah, that's true, I hit this all the time with 1Password+Firefox+Linux (fun combo).

Just copying-pasting the username+password because it doesn't show up is the wrong approach. It gives you a chance to pause and reflect, since it isn't working, so in that case you lookup if it's actually the right domain, and if it is, add it to the allowed domains so it works fine in the future.

Maybe best would be if password managers defaulted to not showing a "copy" thing at all for browser logins, and not letting users select the password, instead prompting them to rely on the autofill, and fix the domains if the autofill doesn't work.

Half the reason I use password manager in the first place is specifically for this issue, the other half is because I'm lazy and don't like typing. It's really weird to hear people using password managers yet do the old copy-paste dance anyways.

jonhohle 5 days ago | parent | next [-]

Thr reason to use a password manager should be because passwords now need to be unique per login. Domain binding is a close second.

Unfortunately, as bad as phishing is, service providers have leaked more plain text passwords than a phisherman could ever catch.

diggan 5 days ago | parent [-]

Well yeah, that too. But I was doing that manually before anyways, didn't really change when I started using a password manager, except the passwords of course got a lot stronger since there is no need to remember anything.

But the domain binding just isn't possible without technical means, hence I see that as my own top reason, I suppose :)

chrisweekly 5 days ago | parent | prev [-]

> "It's really weird to hear people using password managers yet do the old copy-paste dance anyways."

Thankfully there are many reasons to use a password manager. Auto-fill is just one.

nightski 5 days ago | parent | prev [-]

This hasn't been my experience at all. I regularly check the bitwarden icon for example to make sure I am not on the wrong site (b/c my login count badge is there). In fact autofill has saved me before because it did not recognize the domain and did not fill.

IshKebab 5 days ago | parent [-]

Yeah nor mine. Chrome's password manager / autofill is very reliable and very few sites don't work with it or have multiple domains with the same auth. The only one I can think of is maybe Synopsys Solvnet, but you're probably not using that...