[tgsovlerkhgsel]

This is why properly working password managers are important, and why as a web site operator you should make sure to not break them. My password not auto-filling on a web site is a sufficient red flag to immediately become very watchful.

Code-based 2FA, on the other hand, is completely useless against phishing. If I'm logging in, I'm logging in, and you're getting my 2FA code (regardless of whether it's coming from an SMS or an app).

[nialv7]

the creator of https://haveibeenpwned.com got phished once (no kidding), and he uses a password manager.

[phsau]

And if you read the story, it's because he ignored the fact that the password manager didn't prompt auto-fill.

"I went to the link which is on mailchimp-sso.com and entered my credentials which - crucially - did not auto-complete from 1Password. I then entered the OTP and the page hung. Moments later, the penny dropped, and I logged onto the official website, which Mailchimp confirmed via a notification email which showed my London IP address:"

[akerl_]

How does this square with the fact that the tech savvy person in the post was phished despite using a password manager.

[dgl]

The post calls this out:

> the 1Password browser plugin would have noticed that “members-x.com” wasn’t an “x.com” host.

But shared accounts are tricky here, like the post says it's not part of their IdP / SSO and can't be, so it has to be something different. Yes, they can and should use Passkeys and/or 1password browser integration, but if you only have a few shared accounts, that difference makes for a different workflow regardless.

[akerl_]

Yes; 1Password was used. And it worked properly. But because humans are fallible, a human made a mistake anyways.

"Properly working password managers" do not provide a strong defense against real world phishing attacks. The weak link of a phishing attack is human fallibility.

[otterley]

Precisely. 1Password's browser integration would have noticed a domain mismatch and refused to autofill the password -- but in a panic, Kurt apparently opened 1Password and then copied/pasted the credentials manually.

[sergiotapia]

This is how they got my Steam account credentials, although I realized the stupid shit I did the second I clicked submit form, and reset my password to random 32 characters using bitwarden. Me! Someone who is deeply technical AND paranoid.

The key here is the hacker must create the most incisive, scary email that will short circuit your higher brain functions and get you to log in.

I should have realized the fact that bitwarden did not autofill and take that as a sign.

[stavros]

Same thing happened to me (not with Steam), but it's also the thought that "this could never happen to me" that leads you to assign an almost zero probability to the problem being a phishing attempt.

[zahlman]

> The key here is the hacker must create the most incisive, scary email that will short circuit your higher brain functions and get you to log in.

... and specifically by using the link in the email, yes?

[akerl_]

Which is why a properly working password manager is not a strong defense against phishing.

[jopsen]

Not a strong defense, but it helps.

But it's also why sites that don't work well with a password manager are actively setting their users up to be phished.

Same with every site that uses sketchy domains, or worse redirects you to xyz.auth0.com to sign in.

[otterley]

Correct. The moral of the story is that hardware MFA and/or passkeys are a necessity in today's world. An infinitely complex password and 2FA are no match for attacks that leverage human psychology.

[onionisafruit]

It's a strong defense that this guy decided not to use

[akerl_]

User security that doesn’t meet real users where they are is just nerd theatre.

[onionisafruit]

It works for me. I’m unconcerned if it works for anybody else.

[rtpg]

Because CEOs at startups are notorious for trying to problem solve aggressively by "just" doing the thing rather than throwing it at a person who _might_ have made the same mistake, but might be more primed to be confused as to why they are not logged into x dot com and why 1password's password prompt doesn't show up and why the passkey doesn't work or whatever.

It's always possible to have issues, of course, and to make mistakes. But there's a risk profile to this kind of stuff that doesn't align well with how certain people work. Yet those same people will jump on these to fix it up!

[akerl_]

It’s a bold move to typecast all CEOs as uniquely vulnerable to a problem that the evidence shows every single one of us is vulnerable to.

Blaming some attribute about user as why they fell for a phishing attempt is categorically misguided.

[esseph]

Turn off autofill, it is exploited by modern attacks including tapjacking