upvote

points

by QuantumNomad_22 hours ago |
comments
upvoteby embedding-shape22 hours ago|
[-]
> The 1Password mobile and desktop apps have such a nice UX that I’m happy copy pasting from and into it instead of having any of the browser extensions enabled.

Also a great way of missing out on one of the best protections of password managers; completely eliminating phishing even without requiring thinking. And yes, still requires you to avoid manually copy-pasting without thinking when it doesn't work, but so much better than the current approach you're taking, which basically offers 0 protection against phishing.

reply
upvoteby yborg22 hours ago|
parent|
next
[-]
My approach is that for critical sites like banking, I use the site URL stored in the password manager too, I don't navigate via any link clicking. I personally am fine with thinking when my entire net worth is potentially at stake.
reply
upvoteby embedding-shape22 hours ago|
parent|
[-]
It's not only about how you get there, but that the autofill shows/doesn't show, which is the true indicator (beyond the URL) if you're in the right place or not.

Rouge browser extensions for example could redirect you away from the bank website (if the bank website has poor security) when you go there, so even if you use the URL from the password manager, if you don't use the autofill feature, you can still get phished. And if the autofill doesn't show, and you mindlessly copy-paste, you'd still get phished. It's really the autofill that protects you here, not the URL in the password manager.

reply
upvoteby QuantumNomad_21 hours ago|
parent|
next
[-]
If you have rogue browser extensions installed, the browser extension can surely read the values that got filled into the login page without having to redirect to another site.
reply
upvoteby embedding-shape21 hours ago|
parent|
[-]
Not necessarily, a user could have accepted a permission request for some (legit) redirect extension that never asked for content permission, then when the rogue actor takes over, they want to compromise users and not change the already accepted permissions.

Concretely, I think for redirect browser extension users I'd use "webRequest" permission, while for in page access you'd need a content-script for specific pages, so in practice they differ in what the extension gets access to.

reply
upvoteby akimbostrawman7 hours ago|
parent|
prev|
[-]
You don't need a autofill for a indicator. Simply bookmark your banks login page, even if it gets silently redirected later you will notice as the page wont be bookmarked anymore.
reply
upvoteby QuantumNomad_22 hours ago|
parent|
prev|
[-]
In Safari on iOS I have all the main pages I use as favourites, so that they show on the home screen of Safari.

Likewise I have links in the bookmarks bar on desktop.

I use these links to navigate to the main sites I use. And log in from there.

I don’t really need to think that way either.

But I agree that eliminating the possibility all-together is a nice benefit of using the browser integration, that I am missing out on by not using it.

reply
upvoteby embedding-shape21 hours ago|
parent|
[-]
Which works great until tags.tiqcdn.com, insuit.net or widget-mediator.zopim.com (example 3rd party domains loaded when you enter the landing page from some local banks) get compromised. I guess it's less likely to happen with the bigger banks, my main bank doesn't seem to load any scripts from 3rd party as an counter-example. Still, rouge browser extensions still scare me, although I only have like three installed.
reply