[pvg]

It would be abundantly obvious to me

That's what people say but even security experts have fallen for phishing attacks. And since the autofill is not 100% reliable, it's not that unusual to go into the password store and manually get the password out of there.

[kadoban]

It's really quite unusual. I'm not sure what password managers these security experts are using, but there's no way it works like mine (bitwarden). I've never had it fail to recognize the domain, which is good because that seems like really obvious functionality.

I have had it fail to autofill due to site implementation, and the couple of times it happened I was extremely on my guard and triple-checked everything before proceeding.

I think that's the important part of this, the manager has to be reliable enough that the bypass mechanism stands out _a lot_, and the user has to be aware.

[jessaustin]

Sure it can handle logins to both "theircompany.com" and "service.theircompany.com", assuming the cert is set up correctly. It probably isn't going to figure out that those are related to "theircompany-service.net". This would arguably be a failure in domain setup, but I've certainly seen similar setups before.

Example: "https://hbweb.incompass-solutions.com/" uses the same credentials as "http://www.equineline.com/" since they're both owned by the Jockey Club.

[mceachen]

Some password managers (like bitwarden) allow for N URL patterns for a given credential, for exactly this purpose.

[jessaustin]

Sure, but that's something the user sets up, so it still contradicts GP's contention that the user never needs to think about this. The only thing a password manager can (validly) do automatically is look at subject name and subject alt names. (I don't know that all of them even do this.) Even that's assuming that certs are set up correctly...