[tptacek]

Yes. This is the problem with the "just use a password manager" answer to phishing-resistance. They can be a line of defense, situationally, but you have to have them configured just right, and if you're using phishing-resistant authentication you don't need that line of defense in the first place.

[rtpg]

Isn't this backwards? If the autocomplete doesn't show up that's a flag that the password is going somewhere it doesn't belong. If you're always copy-pasting from a password manager then you're not getting that check "for free".

Obviously SSO-y stuff is _better_, but autofill seems important for helping to prevent this kind of scam. Doesn't prevent everything of course!

[tptacek]

None of this password manager configuration stuff matters; we've just got Passkeys set up for the account now, which is what we should have done, but didn't, because we spent the last 2 years with one foot out the door on Twitter altogether.

Since this attack happened despite Kurt using 1Password, I'm really not all that receptive to the idea that 1Password is a good answer to this problem.

[rtpg]

I guess I'm just saying "1Password with autofill" will help more than "1Password without autofill".

We can always make mistakes of course. And yeah, sometimes we just haven't done something.

[tptacek]

I'm saying: an intervention was required here, and that intervention was not changing how we use auto-fill. Doing that would be playing to lose.

[rtpg]

Makes sense, think we might have been talking past ourselves. Agreed on what you all actually did being right.