[AlbertCory]

These are all weak. "Phishing protection" consists of not clicking on URLs someone sends you, particularly the "is this you in the photo?" messages on Facebook.

"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.

If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.

[latexr]

> "human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.

It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.

[AlbertCory]

You missed the part where I said not to click on URLs people send.

[latexr]

But you do realise non-technical people (i.e. most of the world) will click those links, don’t you? Password managers have a convenient and secure solution to the problem and you’re offering an alternative which requires teaching and convincing everyone to act differently in a very specific situation to prevent a situation that rarely happens but is potentially catastrophic when it does.

[AlbertCory]

Everyone in the world is not reading Hacker News.

[latexr]

Exactly. Which is why it’s a good thing password managers exists. It means people don’t need to read specific advise about not clicking links, which is their purpose, on tech forums.

[AlbertCory]

"people don't need to read"

Any less sophisticated user needs to be told that. If you go to some classes for new computer users, I'm pretty sure that'll be in the first hour.

Anyhow, HN readers don't fall in that group.

[Latty]

So some news site you read on gets hacked and they install malware that means when you move to another tab, it changes the tab to look like a log in screen for say, google, and when you go back, you log in. This has been seen in the wild, and it is very hard for a human to catch, we assume we had a tab open and log in. A password manager will refuse to do it because it isn't the right domain.

Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.

Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.