undefined | Better HN

0 pointsSpaethCo5y ago0 comments

> Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user.

Passwords are about proving identity. Using high entropy passwords for greater confidence of user identity is only part of the equation, the user needs to be able to identify the validity of the service as well.

The greatest benefit of an autofill enabled password manager is it handles the task of URL validation before offering up credentials. When you split up that function, now it's back to relying on humans to get everything right on verifying credentials get submitted only to the intended service.

0 comments

posix_me_less5y ago

Yes it has benefits but also drawbacks; I don't like the tradeoff. You have to give the password manager too great capabilities to achieve the autovalidation+autofill. Maybe if you check and compile the password manager yourself.

Also automating the process entirely means the login process can happen and succeed (or fail and disclose the password to attacker) without the knowledge of the human.

I don't have time for that, so I just run both browser and password manager isolated and copy and paste the password.

j / k navigate · click thread line to collapse

0 pointsSpaethCo5y ago0 comments

0 comments

posix_me_less5y ago

Also automating the process entirely means the login process can happen and succeed (or fail and disclose the password to attacker) without the knowledge of the human.

I don't have time for that, so I just run both browser and password manager isolated and copy and paste the password.

j / k navigate · click thread line to collapse