[cataflam]

Hey, you're doing an exemplary response, transparent and fast, in what must be a very stressful situation!

I figure you aren't about to get fooled by phishing anytime soon, but based on some of your remarks and remarks of others, a PSA:

TRUSTING YOUR OWN SENSES to "check" that a domain is right, or an email is right, or the wording has some urgency or whatever is BOUND TO FAIL often enough.

I don't understand how most of the anti-phishing advice focuses on that, it's useless to borderline counter-productive.

What really helps against phishing :

1. NEVER EVER login from an email link. EVER. There are enough legit and phishing emails asking you to do this that it's basically impossible to tell one from the other. The only way to win is to not try.

2. U2F/Webauthn key as second factor is phishing-proof. TOTP is not.

That is all there is. Any other method, any other "indicator" helps but is error-prone, which means someone somewhere will get phished eventually. Particularly if stressed, tired, or in a hurry. It just happened to be you this time.

Good luck and well done again on the response!

[graemep]

> NEVER EVER login from an email link. EVER

Login using one off email links (instead of username + password) is increasingly common which means its the only option.

[cataflam]

In that case

1. You just requested it, I'm not saying to never click link on transactional emails you requested. You still need to click on those verify email links

2. It replaces entering your password, so you're not entering your password on a link from an email, which is the very wrong thing.

[hirako2000]

At least you've requested that email, to be able to login. The timing chance for a phishing mail to come here and there is insignificant. OP is referring to communications that are one way street, the (pseudo) organisation to you.

[graemep]

Its a lot lower risk, its still not great IMO. Email is really not designed for it, and it trains people to use links to login.

[kngspook]

Yeah, I hate these. It's also a very not-ergonomic was to sign in. I wish those companies would redirect those efforts to passkeys.

[hirako2000]

It's very ergonomic for those who discovered the internet via an iPhone, who think Gmail is email. They can't remember their passwords, and wouldn't know where how to recover most cryptographic factors. They have an email account they tend to have access to and use magic links to login , they are very happy with that.

Not promoting the pattern, I also find it worrying the majority of internet users have no basic understanding of authentication and the risk for their digital identity.

[danenania]

Username/password typically has the same issue via reset password links.

[graemep]

I agree. However you use them less often, so its far harder for someone to time it right.

If you use username instead of email address attackers have to guess that too.

One quite serious problem I see quite often is using email plus password for login, and notifying on failed login that the email is not in the system, letting attackers validate which emails are logins.

[danenania]

It happens less often, but it's also more believable that it would be sent without a user action—e.g. "We had a security incident. Please click here to change your password."

And this is exactly the kind of phishing attack that is most effective, as this particular incident shows. So I'd say it's actually a worse phishing vector than magic links.

[diggan]

Or you know, get a password manager like the rest of us. If your password manager doesn't show the usual autofill, since the domain is different than it should, take a step back and validate everything before moving on.

Have the TOTP in the same/another password manager (after considering the tradeoffs) and that can also not be entered unless the domain is right :)

[SchemaLoad]

I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished. I have to manually select the site to fill fairly often, especially inside apps where the password manager doesn't seem to match the app to the website password.

Passkeys seem like the best solution here where you physically can not fall for a phishing attack.

[vaylian]

> I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished.

This is how Troy Hunt got phished. He was already very tired after a long flight, but his internal alarm bells didn't ring loud enough, when the password manager didn't fill in the credentials. He was already used to autofill not always working.

[junon]

This is why I haven't bothered with them (the browser extensions; I have used password managers for years and years) and thus why they weren't there to protect against the attack.

[diggan]

> I feel like it's extremely common for the autofill to not work for various reasons even when you aren't being phished

I dunno, it mostly seems to not work when companies change their field names/IDs, or just 3rd party authentication, then you need to manually add domains. Otherwise my password manager (1Password) works everywhere where I have an account, except my previous bank which was stuck in the 90s and disallowed pasting the passwords. If you find that your password manager doesn't work with most websites (since it's "extremely common") you might want to look into a different one, even Firefox+Linux combo works extremely well with 1Password. Not affiliated, just a happy years+ user.

> Passkeys seem like the best solution here where you physically can not fall for a phishing attack.

Yeah, I've looked into Passkeys but without any migration strategy or import/export support (WIP last time I looked into it), it's not really an alternative just yet, at least for me personally. I have to be 100% sure I can move things when the time ultimately comes for that.

[mdaniel]

I'm glad you've had such good experience with autofill consistently working for you. My experience has been closer to that of the sibling comments: 60/40 so I often just give up and copy-paste. I actually did try jettisoning 1Password for Proton Pass but that was even worse, so I went back

> without any migration strategy or import/export support

Since you're already a 1Password user, I wanted to draw your attention to the "Show debugging tools" in the "Settings > Advanced" section. From that point, you can say "Copy Item JSON" and it will give you the details you would want for rescuing the Passkey. Importing it into something else is its own journey that I can't help with

  {
    "overview": {
      "passkey": {
        "credentialId": "...",
        "rpId": "example.com",
        "userHandle": "..."
      },
    ...
    "details": {
      "passkey": {
        "type": "webauthn",
        "createdAt": 175.......,
        "privateKey": "eyJ...",
        "userHandle": "..."
      }

I would guess their "op" CLI would allow similar, but I don't have the magic incantation to offer, whereas that Copy JSON is painless

[kngspook]

My understand is the people behind passkeys are working on an import/export solution. Who knows when it'll happen though.

For now, when companies let me have multiple passkeys, that's sufficient for me. I put one on my Apple Keychain and one in 1Password.

[cataflam]

I mostly agree and I do use one.

You only need read the whole thread however to see reasons why this would sometimes not be enough: sometimes the password manager does not auto-fill, so the user can think it's one of those cases, or they're on mobile and they don't have the extension there, or...

As a matter of fact, he does use one, that didn't save him, see: https://news.ycombinator.com/item?id=45175125

[eviks]

> sometimes the password manager does not auto-fill

So pick one that does? That's like its top 2 feature

> he does use one

He doesn't since he has no autofill installed, so loses the key security+ convenience benefit of automatch

[acdha]

> So pick one that does? That's like its top 2 feature

Still doesn’t work 100% of the time, because half of the companies on earth demote their developer time to breaking 1995-level forms. That’s why every popular password manager has a way to fill passwords for other domains, why people learn to use that feature, and why phishers have learned to convince people to use that feature.

WebAuthn prevents phishing. Password managers reduce it. This is the difference between being bulletproof like Superman or a guy in a vest.

[vinterson]

Given recent vuln of password manager extensions on desktop leaking passwords to malicious sites, I have disabled autofill on desktop... And autofill didn't work for me on ycombinator on mobile... Autofill is too unreliable.

[eviks]

You don't need 100%, just a high enough frequency that you wouldn't get used to dismissing the fail on auto pilot. Perfect shouldn't be the enemy of the good?

[sunaookami]

Then good password managers will still show you only the logins for that domain. If the login is on another domain then you would have saved it anyways when first logging in/registering and if the site moved then you can get suspicious and check carefully first.

[acdha]

All password managers allow copy-paste (which is what happened here) and the popular ones all offer you the ability to search and fill passwords from other domains. It's important to understand why they do, because it's also why these attacks continue to work: the user _thinks_ they are working around some kind of IT screwup, and 9 times out of 10 (probably closer to 99 out of 100) that's correct. Every marketing-driven hostname migration, every SSO failure, every front-end developer who breaks autofill, every “security expert” who was an accountant last year saying password managers are a vulnerability helps train users to think that it's not suspicious when you have to search for a different variation of the hostname or copy-paste a password.

That's why WebAuthn doesn't allow that as a core protocol feature, preventing both this attack and shifting the cost of unnecessary origin changes back to the company hosting the site. Attacking this guy for making a mistake in a moment of distraction is like prosecuting a soldier who was looking the other way when someone snuck past: wise leaders know that human error happens and structure the system to be robust against a single mistake.

[voxic11]

What are good password managers for chrome and Firefox on Android?

[voxic11]

Mobile autofill requires you to make other security compromises.

[eviks]

Which ones, and how do they compare to this one?

[y1n0]

He didn't say it didn't have the autofill feature, he said sometimes it doesn't work. I've experienced this pretty routinely with two different managers.

[eviks]

Yes he did, read again

> I was mobile, the autofill stuff isn't installed

[FooBarWidget]

I wish it's that easy. 1Password autofill on Android Chrome broke for me a month ago. Installed all updates, checked settings, still nothing. Back to phishing prone copy paste.