[jasode]

>Are we really running URL-unaware password managers in the year 2026?

URL-aware browser plugins for autofilling passwords can also make people _more_ susceptible to phishing.

The password managers plugins sometimes not working correctly changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected for legitimate websites. If that happens enough, it inadvertently trains sophisticated computer-literate users to lower their guard when encountering true phishing websites in the future. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643

Password browser plugins being imperfect can simultaneously increase AND decrease security because of interactions with human psychology.

[embedding-shape]

Even if autofill breaks, the moment it does, if you're security aware, is to actually read the URL you're at, not start copy-pasting like it's the wild west.

> autofilling passwords can also make people _more_ susceptible to phishing

No, it doesn't. What it does, is generally make people _less_ susceptible to phishing, but the moment you stop paying attention when autofill breaks, is the moment you can STILL get phished. But in 90% of the cases, the autofill will HELP you avoid getting phished.

What an absolutely bananas thing to say, that autofilling passwords make people more susceptible to phishing, completely wrong and borderline harmful to spread things like this.

[esseph]

It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)

[embedding-shape]

This?

> The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero

The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.

That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.

And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.

[esseph]

I never said someone should not use a password manager.

I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.

The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.

[dns_snek]

I don't think your other comment supports your assertion. I've experienced Bitwarden failing to auto-fill due to quirks on websites, but I've never seen it fail to identify the domain correctly.

You link to Bitwarden's issues mentioning autofill and while it's true that autofill might break, if you click on the extension icon it's going to present you with a list of credentials for the current domain and give you options to quickly copy the username and password to your clipboard.

If that list is empty then I'm immediately put on high alert for phishing, but so far it's always been due to the website changing its URL/domain. I retrace my steps, make sure I'm on the right domain, then I have to explicitly search for the old entry and update it with the new URL.

That said, I've seen people do: Empty account list -> The darn password manager is misbehaving again -> Search and copy the password. I wouldn't consider those people to be sophisticated users since they're misunderstanding and defying the safety mechanisms.

[ziml77]

Wrong. If my password manager doesn't auto-fill I'm am immediately far more wary. If I didn't have any URL matching in the password manager then I would very quickly stop paying close enough attention to the URL because I'd have to do it too frequently.