[_xnmw]

Everyone's vulnerable to phishing, no matter how technically literate. It's too easy to click through an email during a moment of inattention. I've often thought that the only way to reliably prevent phishing is to enforce the use of a password manager browser extension, which will refuse to enter a saved password except on the original domain. Nobody should ever be manually typing passwords, or even copy-pasting passwords (in the rare case copying becomes necessary, it should be done with a big bold warning).

A safer, phish-proof enterprise password manager may be your killer product here.

[jujodi]

For some reason I thought this was the pitch and I LOVE this idea. Is it possible for a password manager plugin to capture your "paste" and verify the window url? I know there's an onpaste clipboard event so sure seems like this would be possible.

[cyphar]

Password managers that have browser integration already function this way -- you have to go out of your way to copy-paste your password. The main problem is that some sites design their login forms to make this kind of functionality harder (such as putting the password and username fields on different pages, or having strange layouts where you need to also input your last name, and so on).

I personally use KeepassXC which has a browser plugin that does this for you (and it's nice that the plugin doesn't have access to your passwords directly -- it has to request access from the password manager which be default gives you a popup asking for permission to share specific credentials).