> It won't be a red flag for people who often see auto-complete not working for legitimate websites. The usual cause is legitimate websites not working instead of actual phishing attempts.

Yeah, that's true, I hit this all the time with 1Password+Firefox+Linux (fun combo).

Just copying-pasting the username+password because it doesn't show up is the wrong approach. It gives you a chance to pause and reflect, since it isn't working, so in that case you lookup if it's actually the right domain, and if it is, add it to the allowed domains so it works fine in the future.

Maybe best would be if password managers defaulted to not showing a "copy" thing at all for browser logins, and not letting users select the password, instead prompting them to rely on the autofill, and fix the domains if the autofill doesn't work.

Half the reason I use password manager in the first place is specifically for this issue, the other half is because I'm lazy and don't like typing. It's really weird to hear people using password managers yet do the old copy-paste dance anyways.

▲

jonhohle 5 days ago | parent | next [-]

Thr reason to use a password manager should be because passwords now need to be unique per login. Domain binding is a close second.

Unfortunately, as bad as phishing is, service providers have leaked more plain text passwords than a phisherman could ever catch.

	▲	diggan 5 days ago \| parent [-]
		Well yeah, that too. But I was doing that manually before anyways, didn't really change when I started using a password manager, except the passwords of course got a lot stronger since there is no need to remember anything. But the domain binding just isn't possible without technical means, hence I see that as my own top reason, I suppose :)

▲

chrisweekly 5 days ago | parent | prev [-]

> "It's really weird to hear people using password managers yet do the old copy-paste dance anyways."

Thankfully there are many reasons to use a password manager. Auto-fill is just one.