[makeitdouble]

Could you expand on how to trick a password manager to enter the password on a fake domain ?

I'd see having the user add the domain themselves, or get the user to copy/past the password themselves on some other form. But the phishing is not happening on the password manager side, and these use cases still exist even after you chose passkeys (i.e. I'd still need to somewhat log into Google's auth from my Nest hub for instance to have it show the calendar)

[barnabee]

It happens to me very regularly that a password in my password manager is needed on a different domain. Maybe the logon process is at id.domain.com and password is pinned to domain.com, or maybe the password was created at signup.domain.com and so it doesn't pop up on domain.com, or you have to log in to a hotel's site with the password from their reward scheme (different domain), etc...

In any case users are trained by the internet to need to search for the right password outside the pinned domains. Most of the time I guarantee people don't add the extra domains to the password records. So when a phishing site pops up they'll do the same: search for the site name/domain that they think they're logging into and go from there.

Password managers solve password reuse, weak passwords, etc. but IMO do not solve phishing, especially not for the kind of user who's most susceptible t it (little technical understand, hates this stuff, just wants to follow instructions and not deal with it), but passkeys might.

[nightski]

At least on Bitwarden you can just edit the domain if that comes up a lot for you (or even add multiple domains to a password). I'd rather do that than copy/paste on a regular basis. Honestly I can't say I ever copy/paste.

[barnabee]

Yeah, I do this too, but many people I know wouldn't even think about the fact that they could do that, or why they would. They just know that whatever password manager they use doesn't find the password but if they search for it, it's there. So they do that and get on with their lives, inadvertently opening up an avenue for phishing.

[mannykannot]

Thanks for your explanations. It's all the more reason to be pissed about what the big corporations are doing.

[makeitdouble]

I'm totally with you.

These issues won't be solved unless passkeys work absolutely everywhere the user has to authenticate. Logon required or weird and funky domains is currently due to service providers being a mess themselves (I'm looking at you, Microsoft). So should we expect them to miraculously get their act together and have each of these system flawlessly work with their passkey auth. from now on ?

That's where I think we're stuck with that class of issue for as long as there are multiple auth systems, passkeys or not.

[mrmanner]

Also autofill is just broken by some sites and app login screens, so users are used to looking at and typing their passwords every now and then.

[hedora]

And, of course, the malicious site can arrange for autofill to be broken.

[forty]

There can be vulnerabilities, this is clearly the hottest attack surface of password managers. I remember a few years ago Tavis Ormandy from Google Project Zero found such vulnerabilities in a bunch of the most popular password managers which allowed to steal credentials from a rogue website.

I'd still recommend using a password manager, as overall and in practice the risk of phishing and (re)using (weak) passwords is far greater than this kind of rare vulnerabilities (and also I work for a company that makes a password manager ^^)

See https://lock.cmpxchg8b.com/passmgrs.html if you'd like to know more