Author: Ben Language: text
Description: Password managers filling in credentials Timestamp: 2017-06-20 16:36:01 +0000
View raw paste Reply
  1. I want to suggest that getting your password manager to fill in your details may not be as bad as has been suggested, but I'd be interested for your thought last and comments.
  3. I use 1Password over several devices. On each device I either have an OS or browser extension that lets me get 1Password to fill in the credentials for me - it does not do it automatically, I have to 'command' it to fill them.
  4. This password manager has two interesting safetyguards:
  5. 1) if the domain doesn't match the one that the credentials were saved with, it either won't fill in the details, or will warn you that he domain is different
  6. 2) it will remind you that when the credentials were first saved the site was using HTTPS, but the login form you are trying to fill is currently only HTTP - I think it also warns about saving passwords on plain HTTP, but am not 100%
  8. The two safeguards above have helped me a couple of times when I've not been the most alert (first thing in the morning/last thing at night, or in a hurry due to various constraints) and saved me from some convincing phishing attempts, and also saved me from entering credentials on sites that have messed up their SSL certs, saving my credentials from being transmitted in the clear.
  10. In both of these cases the password manager has helped me retain the integrity of my credentials, whereas if I simply copy and pasted credentials, I would have to rely on myself being more alert (something I think most of us fail to be at certain times?)
  12. Furthermore, because it only fills in one set of credentials per page (it asks you to select if there are multiple matches), and it only fills in the credentials when I 'command' it to, I think this mitigates form injection as suggested by one of last weeks feedbacks?
  14. Am I giving my password manager too much credit? Can you still see flaws that I've been blind to?
  16. Lastly, I understand not all managers are equal, features found in one may be lacking in others - always worth considering when talking about a category of products.
  18. As always, many thanks for the show,
  19. Ben
View raw paste Reply