Hacker News new | ask | show | jobs
by baobabKoodaa 534 days ago
Same here. It seems like they are very narrowly optimizing for the extremely rare case of a person who simultaneously:

A) Is fooled by a phishing attack

and

B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work

Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.

It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.
1 comments
yoble 534 days ago
In my previous company we hired a startup that did security training, that recommanded everyone use a password manager. And one of their test was that they sent a fake phishing email to people (randomized over a couple of months so not everyone would get it the same day).

I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.

Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.

link
baobabKoodaa 534 days ago
The most important bit of information is missing from your post: was everyone using 2FA? If yes, then you make a relevant point.
link
Dylan16807 534 days ago
Even if no 2FA was involved at all, it's a good answer to the scenario you were posing.

I think plenty of people will have second thoughts when the password doesn't go.

link
baobabKoodaa 532 days ago
The comparison here is using 2FA with external device, or putting 2FA codes into a password manager.

Any kind of experiment that doesn't involve 2FA at all is not relevant for this comparison.

link
Dylan16807 532 days ago
The anecdote provides evidence for people that are initially fooled by a phishing attack but aren't fooled enough to manually copy-paste credentials when autofill doesn't work.

Your argument about 2FA depends on how many of those people there are.

Therefore the anecdote is quite relevant, indirectly.

link