undefined | Better HN

0 pointstus886y ago0 comments

Ok, but how is that abuse? And if autocomplete=off is part of the html standard, how are the password managers spec compliant if they can't deal with it? Are people doing this just to annoy users who prefer password managers?

0 comments

Thorrez6y ago

>Are people doing this just to annoy users who prefer password managers?

People are doing it because they don't understand password managers, and think blocking them makes people more secure. They believe that if a password is in a manager, that password is less secure than if that password was purely in the user's head.

londons_explore6y ago

If a bug in the password manager leaked the password to your bank to a third party, many users wouldn't want to pay for any associated costs/expenses when a bad guy steals their money.

Yet the bank also doesn't want to take on security audits for code entirely outside their control.

Thorrez6y ago

I consider that similar to a bug in the browser or the operating system. Should the bank require that I only use specific browsers or operating systems? In fact any program I install on my computer could have a vulnerability, or be malicious and thus lead to my password being stolen. Should the bank require that I not install any programs except ones they specifically permit?

The bank should also consider which is more frequent: user account compromises due to weak/reused passwords, or user account compromises due to password manager bugs.

pas6y ago

Then banks should recommend a good password manager. It's on them to make their users happy after all.

One part of that is a proper risk analysis. Password reuse and weak passwords are much bigger risks than a rouge autocompleter.

j / k navigate · click thread line to collapse

0 comments

Thorrez6y ago

>Are people doing this just to annoy users who prefer password managers?

londons_explore6y ago

If a bug in the password manager leaked the password to your bank to a third party, many users wouldn't want to pay for any associated costs/expenses when a bad guy steals their money.

Yet the bank also doesn't want to take on security audits for code entirely outside their control.

Thorrez6y ago

The bank should also consider which is more frequent: user account compromises due to weak/reused passwords, or user account compromises due to password manager bugs.

pas6y ago

Then banks should recommend a good password manager. It's on them to make their users happy after all.

One part of that is a proper risk analysis. Password reuse and weak passwords are much bigger risks than a rouge autocompleter.

j / k navigate · click thread line to collapse