Hacker News new | ask | show | jobs
by Hackbraten 310 days ago
> simply check the URL before having KeePass autotype.

I’m not going to rely on myself never making a mistake. I want a solution that protects me even during stressful moments where I have a lapse of judgement and forget to check.
2 comments
simoncion 310 days ago
If you're not using KeepassXC's browser plugin (or are using KeePassX, which -IIRC- never had a browser plugin), then its autotype feature will check the title of the window that has keyboard focus when deciding which entry to use. If one or more matches are found, it will [1] also ask you to confirm which entry you're about to have the software punch in. If no matches are found, it will alert you to that fact.

You might find the KeePassXC docs about the feature [0] to be informative.

If you're going to complain that all a phisher has to do to capture a password is create a website with the same title as the official one, then my reply would be something like "Duh. That's what the browser plugin is for.".

[0] <https://keepassxc.org/docs/KeePassXC_UserGuide#_auto_type>

[1] ...optionally, and on by default...

link
Hackbraten 310 days ago
Not sure how you got the impression that I was unwilling to use a browser plugin.

I’m absolutely looking for a browser plugin. I would refuse to use an auto-type feature that only checks the window title instead of, as a browser plugin would do, the site’s domain.

link
simoncion 310 days ago
I'm not sure how you got the impression that I had the impression that you're unwilling to use a browser plugin. I have absolutely no idea whether or not you're willing to use a browser plugin.

I was mentioning how auto-type worked because it's useful information for those who either are unwilling to use a browser plugin, or are like myself and simply have no need for one.

link
rpdillon 309 days ago
I don't think fixing this at the browser-level is the right place. In general, I'm very vigilant, but I know I can be tricked. So I have a policy about not clicking links in emails from companies I already know the address for. I also aggressively right click / long tap links to examine the URL before opening.

In general, opening a malicious URL exposes the user to unnecessary risk, so the correct solution is not to assume the user has visited a malicious site (since that would already be high-risk), but rather to prevent opening of malicious URLs. The most obvious solution is to treat any untrusted content as questionable. So I very carefully examine every domain I visit - as I say to my kids: have a model about who owns the computer you're talking to. Domains matter.

Now, this works for me. I'm not cognitively impaired, I have high conscientiousness, probably from working in military and classified defense contexts way back when, but I'm not really sure to be honest, could just be my personality. But it works for me.

I get that you want that extra safeguard, but it's just not a dealbreaker for me, especially since I'm highly suspicious of browser add-ons and the security implications they bring in. I guess I'm just extremely selective about what add-ons I'll use.

link