upvote

points

by StableAlkyne6 hours ago |
comments
upvoteby sureglymop4 hours ago|
next
[-]
I've seen it many times on google where the phishing sites were advertised results stickied above the results they impersonate.

Another good reason to use ublock origin!

reply
upvoteby weird-eye-issue6 hours ago|
prev|
next
[-]
This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match
reply
upvoteby tuetuopay1 hours ago|
parent|
next
[-]
That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!

I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.

reply
upvoteby StableAlkyne5 hours ago|
parent|
prev|
next
[-]
I use keepass (FOSS under GPL, fully offline).

It does not detect domains.

reply
upvoteby jabroni_salad3 hours ago|
parent|
next
[-]
The autotyper can with a little bit of finangling. Every browser has a 'url in title bar' extension avaialble and then you can use that for your autotype matching. If you do not like to use extensions, changing a page's title is a trivial bookmarklet or userscript to make I would think.
reply
upvoteby graemep5 hours ago|
parent|
prev|
next
[-]
KeepassXC browser integration will do that.
reply
upvoteby throawayonthe3 hours ago|
parent|
prev|
[-]
you can have it be offline and still a browser extension (when i used keepassxc it could to that)
reply
upvoteby vel0city6 hours ago|
parent|
prev|
[-]
"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."

Meanwhile U2F/Passkeys can't possibly be abused like this.

reply
upvoteby tjoff5 hours ago|
parent|
next
[-]
Yeah but the downsides of passkeys make them so much worse anyway.
reply
upvoteby jcattle5 hours ago|
parent|
[-]
Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!
reply
upvoteby AlotOfReading5 hours ago|
parent|
next
[-]
I used to keep a yubikey in a spare slot on my laptop. One day it fell out and subsequently escaped through an unnoticed hole in my backpack.

I've never lost a password because my backpack was overly abused.

reply
upvoteby brendoelfrendo5 hours ago|
parent|
[-]
That's why you keep it on your keychain and not in a spare slot on your laptop.
reply
upvoteby AlotOfReading3 hours ago|
parent|
[-]
It's not possible to put a 5c nano on a keychain. They're intended to be kept in the slot at all times.
reply
upvoteby 3 hours ago|
parent|
[-]
deleted
reply
upvoteby someguyiguess5 hours ago|
parent|
prev|
[-]
And when your keychain gets lost then what?
reply
upvoteby jcattle5 hours ago|
parent|
next
[-]
Then I have a backup yubikey at home for services which allow to register two keys. For other's there's still good old password+some second factor.
reply
upvoteby vel0city3 hours ago|
parent|
prev|
next
[-]
Then I use the authenticator built into my phone. Or the authenticator built into my desktop. Or the authenticator built into my laptop. Or my other authenticator.

My phone was destroyed not too long ago. I had been using it for passkeys. Oh no, all those passkeys were gone. No problem, when I got my new phone I just used the authenticator on my keyring to get back into my accounts. If my keyring authenticator got lost I'd just buy a new authenticator eventually and add it to my accounts.

reply
upvoteby brendoelfrendo5 hours ago|
parent|
prev|
[-]
I open the safe where I keep my spare Yubikey. Or I use the passkey stored in my phone, or the one on my laptop. Make passkeys, put them everywhere.
reply
upvoteby bonoboTP5 hours ago|
parent|
prev|
[-]
Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.

Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.

reply
upvoteby swatcoder2 hours ago|
prev|
next
[-]
> I never see Google return phishing pages

Maybe you're not looking or maybe you're lucky.

Either way, many of us see it happen all the time there too. For GitHub especially, I almost never get the canonical repo for a project in my Google results. Phishing or innocuous, it's almost always some fork at the top and then a bunch of non-github.com sites.

Search is more or less "cooked" now, as they say. Google vs Bing vs DDG vs Kagi is mostly in the noise.

reply
upvoteby mrguyorama16 minutes ago|
prev|
next
[-]
>I never see Google return phishing pages or typo squatters in the first page

Our company constantly has phishing copies of our real pages as first results in Google. We have no ability to get them taken down. It costs us serious money every year, and hurts our customers who get swindled because Google lets some brand new domain registered yesterday come before the company that has existed for 20 years.

If you haven't seen it on google, you aren't looking hard enough.

reply
upvoteby spicyusername5 hours ago|
prev|
next
[-]

    at least not Google
Is one giant mega-corp better than any other?

You're going to have a hard time convincing me the answer is yes.

reply
upvoteby abc123abc1235 hours ago|
prev|
next
[-]
Why would you go to your bank by first searching for it? Sounds very insecure to me. I type my banks url directly instead, or if that gets tedious, store it as a bookmark.

I know several people who search for important sites, click uncritically on links, and get scammed. This is not so good.

reply
upvoteby chrisweekly5 hours ago|
prev|
next
[-]
speaking only to search quality: try Kagi.
reply
upvoteby astronodev6 hours ago|
prev|
[-]
[dead]
reply