undefined | Better HN

0 pointsbrabel2y ago0 comments

You're wrong, with password managers you can definitely be phished. Unless it's literally impossible to extract the password to enter it manually, but I don't think password managers make that impossible (and if it's possible, users will do it).

With passkeys it's literally impossible.

0 comments

makeitdouble2y ago

Could you expand on how to trick a password manager to enter the password on a fake domain ?

I'd see having the user add the domain themselves, or get the user to copy/past the password themselves on some other form. But the phishing is not happening on the password manager side, and these use cases still exist even after you chose passkeys (i.e. I'd still need to somewhat log into Google's auth from my Nest hub for instance to have it show the calendar)

barnabee2y ago

It happens to me very regularly that a password in my password manager is needed on a different domain. Maybe the logon process is at id.domain.com and password is pinned to domain.com, or maybe the password was created at signup.domain.com and so it doesn't pop up on domain.com, or you have to log in to a hotel's site with the password from their reward scheme (different domain), etc...

In any case users are trained by the internet to need to search for the right password outside the pinned domains. Most of the time I guarantee people don't add the extra domains to the password records. So when a phishing site pops up they'll do the same: search for the site name/domain that they think they're logging into and go from there.

Password managers solve password reuse, weak passwords, etc. but IMO do not solve phishing, especially not for the kind of user who's most susceptible t it (little technical understand, hates this stuff, just wants to follow instructions and not deal with it), but passkeys might.

nightski2y ago

At least on Bitwarden you can just edit the domain if that comes up a lot for you (or even add multiple domains to a password). I'd rather do that than copy/paste on a regular basis. Honestly I can't say I ever copy/paste.

1 more reply

makeitdouble2y ago

I'm totally with you.

These issues won't be solved unless passkeys work absolutely everywhere the user has to authenticate. Logon required or weird and funky domains is currently due to service providers being a mess themselves (I'm looking at you, Microsoft). So should we expect them to miraculously get their act together and have each of these system flawlessly work with their passkey auth. from now on ?

That's where I think we're stuck with that class of issue for as long as there are multiple auth systems, passkeys or not.

mrmanner2y ago

Also autofill is just broken by some sites and app login screens, so users are used to looking at and typing their passwords every now and then.

1 more reply

forty2y ago

There can be vulnerabilities, this is clearly the hottest attack surface of password managers. I remember a few years ago Tavis Ormandy from Google Project Zero found such vulnerabilities in a bunch of the most popular password managers which allowed to steal credentials from a rogue website.

I'd still recommend using a password manager, as overall and in practice the risk of phishing and (re)using (weak) passwords is far greater than this kind of rare vulnerabilities (and also I work for a company that makes a password manager ^^)

See https://lock.cmpxchg8b.com/passmgrs.html if you'd like to know more

Aeolun2y ago

> With passkeys it's literally impossible.

I dunno about you. But I like being able to get my passwords out of the password manager. How is not being able to do so a feature?

mikestew2y ago

The metaphor might be a bit esoteric, but that's similar to wishing that Hardware Security Modules (HSMs) allowed you "get your <private keys>" out of the HSM. As sibling comment says, that's how you get phished. The whole point of an HSM (and a passkey) is that the super-secret private part never leaves the HSM no matter how nicely you ask and no matter how compromised the machine is.

A password manager, OTOH, is happy to hand out your private key ("password" in this case) to anyone that has access to it.

Atotalnoob2y ago

Yes, but I don’t want vendor lockin.

I want to move my passkeys where I want and use tools I want.

Not allowing anyway of changing passkeys is terrible. Imagine someone switches from IOS to android. How do they use their passkeys?

Even if they had a big “warning don’t do this” sign it would be better than not allowing it in anyway.

2 more replies

sowbug2y ago

It's not that kind of impossible. It means that even if you are tricked into giving your passkey to the attacker, it's cryptographically useless to the attacker because a passkey is bound to a specific origin.

brabelOP2y ago

Because that opens you up for being phished.

Aeolun2y ago

True, but it also opens me up to using the same password on all machines I use. You can argue that’s a negative, but personally I like being able to add a new machine to my collection without worrying about who the vendor is.

j / k navigate · click thread line to collapse

0 comments

makeitdouble2y ago

Could you expand on how to trick a password manager to enter the password on a fake domain ?

barnabee2y ago

nightski2y ago

1 more reply

makeitdouble2y ago

I'm totally with you.

That's where I think we're stuck with that class of issue for as long as there are multiple auth systems, passkeys or not.

mrmanner2y ago

Also autofill is just broken by some sites and app login screens, so users are used to looking at and typing their passwords every now and then.

1 more reply

forty2y ago

See https://lock.cmpxchg8b.com/passmgrs.html if you'd like to know more

Aeolun2y ago

> With passkeys it's literally impossible.

I dunno about you. But I like being able to get my passwords out of the password manager. How is not being able to do so a feature?

mikestew2y ago

A password manager, OTOH, is happy to hand out your private key ("password" in this case) to anyone that has access to it.

Atotalnoob2y ago

Yes, but I don’t want vendor lockin.

I want to move my passkeys where I want and use tools I want.

Not allowing anyway of changing passkeys is terrible. Imagine someone switches from IOS to android. How do they use their passkeys?

Even if they had a big “warning don’t do this” sign it would be better than not allowing it in anyway.

2 more replies

sowbug2y ago

brabelOP2y ago

Because that opens you up for being phished.

Aeolun2y ago

j / k navigate · click thread line to collapse