|
|
|
|
|
|
by bufke
3129 days ago
|
|
|
I'm working on that (https://passit.io) and I'm curious what your opinion of good UX is. Many here mention vulnerabilities from web extension autofill (domain matching issues, etc). Do you have any opinion between: A) No autofill. Copy and paste (but good simple shortcuts). Least attack vectors, but least convenient. B) Autofill but only when user prompts (with shortcut). This avoids having to inject js into web pages. The web extension needs less overall permissions this way. It avoids certain attack vectors. Features would be less discoverable - you have to know to hit the shortcuts or click a browser icon. C) Prompts to Autofill in the page. This is the most common technique, lastpass does it. Vulnerable against domain matching misparsing. It's a big attack vector but there are plenty of common password manager vulnerabilities that can be studied and mitigated against. Or something else? Also what issues do you have with current open source password managers? |
|
|