|
|
|
|
|
|
by mjthompson
1782 days ago
|
|
|
A password manager only really offers marginal phishing protection, in the sense that 'automatic autofill' (as defined in the original post) is not available with an unrecognised website. The problem is most profound with tech illiterate folk. If you have tried to teach a tech illiterate person how to use a password manager (as I have), you may have encountered the issue that 'autofill' isn't 100% accurate. You will occasionally hit a subdomain or alternative domain which using the same credentials as the saved website (eg amazon.co.uk vs amazon.com). It will appear that no credentials are available for that site. Therefore, you usually have to teach the person how to manually search the vault and either fill manually, or copy and paste credentials. Otherwise, you can expect phone calls for support. And, of course, the original article actually suggests disabling automatic autofill. It suggests filling manually, further opening up the possibility of mistakenly filling onto a dodgy domain. As soon as you teach them a workaround to deal with this case, the phishing vector is basically no different to a post-it. This problem might also apply to a tired, tech literate person, who mindlessly fills manually or copies credentials without checking the domain. In either case, we fall back to Google Safe Browsing doing its job properly, and await solid anti-phishing solutions like FIDO2/webauthn. |
|
|
I don't know if alerting the user that something is wrong could be described as "marginal" for phishing attacks.
Sure, they may still make the bad decision but it might seem odd to them that their password manager didn't offer to fill it in for the site and get them to start looking around and double checking things.