Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Mystery-Machine 4 days ago

Always use password manager to automatically fill in your credentials. If password manager doesn't find your credentials, check the domain. On top of that, you can always go directly to the website, to make any needed changes there, without following the link.

dewey 4 days ago | parent | next [-]

Password managers are still too unreliable to auto-fill everywhere all the time, and manually having to copy paste something from the password manager happens regularly so it's not something that feels unusual if it doesn't auto-fill it for some reason.

zargon 4 days ago | parent | next [-]

I put the fault on companies for making their login processes so convoluted. If you take the time to do it, you can usually configure the password manager to work (we shouldn’t have to make the effort). But even if you do, then the company will at some point change something about their login processes and break it.

nilslindemann 3 days ago | parent | prev [-]

Indeed. I have to fill in my TOTP manually on Lichess and on tutanota.com. On proton.me sometimes. On other sites it always works, e.g. GitHub.

Analemma_ 4 days ago | parent | prev | next [-]

I don't think this really helps. I use Bitwarden and it constantly fails to autofill legitimate websites and makes me go to the app to copy-paste, because companies do all kinds of crap with subdomains, marketing domains, etc. Any safeguard relying on human attention is ultimately susceptible to this; the only true solutions are things like passkeys where human fuckups are impossible by design and they can't give credentials to the wrong place even if they want to.

Passkeys are disruptive enough that I don't think they need to be mandated for everyone just yet, but I think it might be time for that for people who own critical dependencies.

teekert 4 days ago | parent [-]

It's a pita but BitWarden has quite some flexibility in filtering where what gets autofilled. I agree the defaults are pretty shit and indeed lead to constant copy-pasting. On the other hand, it will offer all my password all the time for all my selfhosted stuff on my 1 server.

teekert 4 days ago | parent | prev | next [-]

Better yet, use password manager as the store of the valid domain and click there to go to resource.

fragmede 4 days ago | parent | prev | next [-]

what do you mean bankofamericaabuse.com isn't a real website!? It's in the email and everything! The nice guy on the phone said it was legit...

esseph 4 days ago | parent | prev [-]

> Always use password manager to automatically fill in your credentials

Absolutely not.

https://www.malwarebytes.com/blog/news/2025/08/clickjack-att...

https://thehackernews.com/2025/08/dom-based-extension-clickj...

https://www.intercede.com/the-dangers-of-password-autofill-a...

darthwalsh 2 days ago | parent [-]

What's more likely, the real npm site has a subdomain with XSS (IIRC the issue you linked) or you are manually filling your password into a phishing site?

There's strong evidence that the latter is a more common concern.

esseph 2 days ago | parent [-]

What I'm saying is that autofill is a current method of credential extraction that should be avoided.

You don't have to believe me, read the links.