[weird-eye-issue]

This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match

[tuetuopay]

That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!

I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.

[weird-eye-issue]

Oh I've never seen anything like that. But it would still help because my password manager pops up matching logins so you could just open that manually and then copy paste parts of it or type it in.

[shermantanktop]

Had a similar UK bank experience. Without knowing it would be used for that, I had created a password that had digits. So "What's the 4th character" would be something like "6," "What's the 6th digit" would be "2," like an Abbott and Costello routine.

[StableAlkyne]

I use keepass (FOSS under GPL, fully offline).

It does not detect domains.

[jabroni_salad]

The autotyper can with a little bit of finangling. Every browser has a 'url in title bar' extension avaialble and then you can use that for your autotype matching. If you do not like to use extensions, changing a page's title is a trivial bookmarklet or userscript to make I would think.

[graemep]

KeepassXC browser integration will do that.

[throawayonthe]

you can have it be offline and still a browser extension (when i used keepassxc it could to that)

[vel0city]

"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."

Meanwhile U2F/Passkeys can't possibly be abused like this.

[weird-eye-issue]

Well mine pops up a big warning if you try pasting when the domain doesn't match it so at least it would force you to take a second look. Also all the real world services that I use half past keys as 2fa which I also store in the password manager

[tjoff]

Yeah but the downsides of passkeys make them so much worse anyway.

[jcattle]

Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!

[AlotOfReading]

I used to keep a yubikey in a spare slot on my laptop. One day it fell out and subsequently escaped through an unnoticed hole in my backpack.

I've never lost a password because my backpack was overly abused.

[brendoelfrendo]

That's why you keep it on your keychain and not in a spare slot on your laptop.

[AlotOfReading]

It's not possible to put a 5c nano on a keychain. They're intended to be kept in the slot at all times.

[someguyiguess]

And when your keychain gets lost then what?

[jcattle]

Then I have a backup yubikey at home for services which allow to register two keys. For other's there's still good old password+some second factor.

[vel0city]

Then I use the authenticator built into my phone. Or the authenticator built into my desktop. Or the authenticator built into my laptop. Or my other authenticator.

My phone was destroyed not too long ago. I had been using it for passkeys. Oh no, all those passkeys were gone. No problem, when I got my new phone I just used the authenticator on my keyring to get back into my accounts. If my keyring authenticator got lost I'd just buy a new authenticator eventually and add it to my accounts.

[LtWorf]

https://xkcd.com/981/

[brendoelfrendo]

I open the safe where I keep my spare Yubikey. Or I use the passkey stored in my phone, or the one on my laptop. Make passkeys, put them everywhere.

[bonoboTP]

Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.

Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.