Hacker News new | ask | show | jobs
by akersten 164 days ago
> open their password manager which also might need you to authenticate, type in their master password, search for the name of the said website, copy the password, paste it in

This is one way to guarantee you'll eventually fall for a phishing attack. Are we really running URL-unaware password managers in the year 2026?
7 comments
jasode 164 days ago
>Are we really running URL-unaware password managers in the year 2026?

URL-aware browser plugins for autofilling passwords can also make people _more_ susceptible to phishing.

The password managers plugins sometimes not working correctly changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected for legitimate websites. If that happens enough, it inadvertently trains sophisticated computer-literate users to lower their guard when encountering true phishing websites in the future. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643

Password browser plugins being imperfect can simultaneously increase AND decrease security because of interactions with human psychology.

link
embedding-shape 164 days ago
Even if autofill breaks, the moment it does, if you're security aware, is to actually read the URL you're at, not start copy-pasting like it's the wild west.

> autofilling passwords can also make people _more_ susceptible to phishing

No, it doesn't. What it does, is generally make people _less_ susceptible to phishing, but the moment you stop paying attention when autofill breaks, is the moment you can STILL get phished. But in 90% of the cases, the autofill will HELP you avoid getting phished.

What an absolutely bananas thing to say, that autofilling passwords make people more susceptible to phishing, completely wrong and borderline harmful to spread things like this.

link
esseph 164 days ago
It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)
link
embedding-shape 164 days ago
This?

> The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero

The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.

That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.

And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.

link
esseph 164 days ago
I never said someone should not use a password manager.

I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.

The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.

link
dns_snek 164 days ago
I don't think your other comment supports your assertion. I've experienced Bitwarden failing to auto-fill due to quirks on websites, but I've never seen it fail to identify the domain correctly.

You link to Bitwarden's issues mentioning autofill and while it's true that autofill might break, if you click on the extension icon it's going to present you with a list of credentials for the current domain and give you options to quickly copy the username and password to your clipboard.

If that list is empty then I'm immediately put on high alert for phishing, but so far it's always been due to the website changing its URL/domain. I retrace my steps, make sure I'm on the right domain, then I have to explicitly search for the old entry and update it with the new URL.

That said, I've seen people do: Empty account list -> The darn password manager is misbehaving again -> Search and copy the password. I wouldn't consider those people to be sophisticated users since they're misunderstanding and defying the safety mechanisms.

link
ziml77 163 days ago
Wrong. If my password manager doesn't auto-fill I'm am immediately far more wary. If I didn't have any URL matching in the password manager then I would very quickly stop paying close enough attention to the URL because I'd have to do it too frequently.
link
Y-bar 164 days ago
It’s also an issue that extensions like 1Password are _too_ URL-aware, until recently it tried to use heuristics and ignore subdomains for matching credentials. This meant that we used to get a list of almost a hundred options when logging into our AWS infrastructure. No matter which actual domain used. Someone could have used this vulnerability as part of a phishing campaign.
link
embedding-shape 164 days ago
> extensions like 1Password are _too_ URL-aware, until recently it tried to use heuristics and ignore subdomains for matching credentials

I've used 1Password for years (Linux+Firefox though, FWIW), and this never happened to me or our family. I did discover though that the autofill basically went by hierarchy in the URI to figure out what to show, so if you specify "example.com" and you're on "login.example.com", you'll see everything matching "*example.com" which actually is to be expected. If you only want to see it on one subdomain, you need to specify it in the record/item.

That it ignored the subdomains fully sounds like it was a bug on your particular platform, because 1Password never did that for me, but I remember being slightly confused by the behavior initially, until I fixed my items.

link
Y-bar 164 days ago
It wasn't a considered a bug, it was repeatedly reported to them from us via email and from other customers on their community pages.

Just take a look here for example: https://www.1password.community/discussions/1password/bug-su...

1Password then wrote:

> 1Password currently only suggests items based on the root domain. I can see the value of having 1Password suggest only exact matches based on their subdomain, especially for the use case you have described.

Or take a look here: https://www.1password.community/discussions/1password/sugges...

1Password then wrote:

> As it currently stands, 1Password only matches on the second level domain (i.e. sample.com in your example). While I can't promise anything, this is something we've heard frequently, so I'll share your thoughts with the team.

Now it is:

> You’ll see the item as a suggestion on any page that’s part of the website, including subdomains. The item may also be suggested on related websites known to belong to the same organization.

It's that second sentence which is the problem, they "suggested" by being "smart" items from one AWS domain which ought to have never suggested on another unrelated AWS domain.

In version 8.10 when they added Only fill on this exact host: https://support.1password.com/autofill-behavior/

link
pjerem 164 days ago
Haha and Bitwarden is url aware but not enough.

I work in a company where I have two okta accounts (because hey, why not) on two .okta.com subdomains.

Bitwarden _randomly_ messes up the two subdomains and most of the times (but not always, which seems strange actually), it fills the form with the wrong password. I don’t know why. I know that there is an option to make it stricter on domain matching but you can’t configure it on per item basis, only for the whole vault.

link
taschmex 164 days ago
Every browser-based bitwarden client I have used have the option to choose the autofill option on single items as well as the global default. Find the login item, click edit, scroll to autofill options, where each URI is listed with a gear icon next to it. Click the gear and select the appropriate match type.

For the absolute majority of use cases, "host" should be the default, but i have found uses for both "base domain" and "regular expression" in some special cases.

Normal browser extension Bitwarden Ctrl-Shift-L autofill defaults to the most recently used entry when there are multiple matches, afaik.

link
sneak 164 days ago
You can indeed configure it on a per-item basis. The vault-wide setting you found is just the default for ones that don’t have an override set. Click on the domain/url matching setting in the individual credential and you can change it to exact host match.
link
buckle8017 164 days ago
Lots of people are afraid of attacks on the browser extension.

There have been exploits for them in the past, it's a legitimate concern.

Deciding between the two setups is a tradeoff between one security issue and another.

link
akimbostrawman 164 days ago
>afraid of attacks on the browser extension

Which is a legitimate concern since they are a gaping hole in security and isolation. Visiting website should be treated like phone calls from the bank. If you get called/mailed you don't follow the information there but call back / visit the site yourself e.g. from bookmarks or copy url from pw manager.

link
asimovDev 164 days ago
I am now wondering if Safari's integration with the system-wide password manager is similar to having a 1Password browser extension installed in a chromium browser
link
buckle8017 164 days ago
It's probably slightly more secure than the extension.

Legitimately the only reason to us the built in password managers is this tradeoff.

link
esseph 164 days ago
Autofill can be an attack vector.

Lookup Dom-based clickjacking. It will "autofill" the field but on submission it sends the data to an attacker.

"The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero.

The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users."

""All password managers filled credentials not only to the 'main' domain, but also to all subdomains," Tóth explained. "An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).""

More info: https://marektoth.com/blog/dom-based-extension-clickjacking/

Originally discussed at DEFCON 33

link
kajika91 164 days ago
Yes we should run URL-unaware manager, but nearly no one understand security, especially in browser. Let's see the permission asked for the #1 manager in firefox (Authenticator):

  Input data to the clipboard
  Access your data for sites in the dropboxapi.com domain
  Access your data for www.google.com
  Access your data for www.googleapis.com
  Access your data for accounts.google.com
  Access your data for graph.microsoft.com
  Access your data for login.microsoftonline.com
Yep! And #2 (2FAS Auth):

  Display notifications to you
  Access browser tabs
  Access browser activity during navigation
  Access your data for all websites
Even better, maybe at one point web browser can get their sh* together and build better permission system (and not just disable functions like manifest v3). For now the majority of people trust opaque organization shoving them unknown code their run with way too many permissions on their computers.

Talking about unknown code there is a lot of work to be done on reproducible build as anything touching web has nearly nothing about it.

link
dewey 164 days ago
That's a very smug take, especially when you encounter websites every day that don't autofill for whatever reason (As another poster already showed with some examples) or in my case the 1Password extension in Safari failing to connect to the main 1Password deamon or a number of other issues that make this still common place in 2026.

And that's for me, a technical user using a password manager.

link
jen729w 164 days ago
I also find the 1Password browser (Safari) extension to pitifully poor. But there's a neat workaround: set up a hotkey for 'Show Quick Access'. I use Ctrl+Opt+\.

This pops up 1Password's overlay but it is still URL-aware. I find it works almost universally. It'll show you what it's going to fill: just hit Return and it'll be done.

It doesn't even care what browser you're in. Works across the lot. Of course it isn't fully integrated so Passkeys won't work.

link
ahmetomer 164 days ago
I'm using Apple's Password Manager (native app on iOS & macOS), but didn't install its browser extension that can do autofill because for me it wasn't as convenient (it has a bad UX, unreliable autofill, etc.)

So, when I'm prompted to log in somewhere, I open the password manager and repeat the steps you just mentioned. It does add extra steps to the process, but I don't think it makes it less safe than having an autofill extension, which requires a ton of permissions and is more prone to compromises. And yes, my manual method also means I have to rely on me being aware of the URLs I'm on, but I usually bookmark my main services, so it's working fine for me this way. I also treat all emails as spam and/or an attack unless I verify them by the domain, and whether I had just recently requested to log in or requested a password change, etc.

At the end of the day, it boils down to us paying attention to every action we take, regardless of the measures we take, as new and different methods are being deployed to own us every day.

link