Bitwarden warns against using autofill on load for that very reason, as then simply loading a malicious page might cause it to provide passwords to such a site.
And then, a human when a site doesn’t autofill, is more likely to just go “huh, weird” and do it manually.
You’ve always got the human element, bypassing security features; but extra little hurdles like a password manager refusing to autofill an unknown url is at least one more opportunity for the user to recognize that something’s wrong and back away.
If you’re already used to manually typing in the auth details, you may not even notice you’re not on the site you were expecting.
Someone manages to maliciously sneak username and password fields onto a site that store what is entered as soon as it’s typed. They don’t even have to be visible to the user and bitwarden will fill them in as soon as the page loads.
Right, “maliciously sneak”, as in they’ve either gained access to make changes to the site ditectly, or they’ve found a way to inject their scripts to steal creds.
And how is that any different from not having a password manager?
Yes, if someone hijacks a domain they can get credentials intended for that domain. A password manager doesn’t make a huge difference here, because why would they make the site look any different than normal?
Here’s the thing … as crazy as a notebook with passwords sounds, it’s not accessible to someone across the internet.
Password managers check the URL before giving its data. A human being can be fooled into giving it to a fake web site.
TBF, they can be fooled too.
Bitwarden warns against using autofill on load for that very reason, as then simply loading a malicious page might cause it to provide passwords to such a site.
And then, a human when a site doesn’t autofill, is more likely to just go “huh, weird” and do it manually.
You’ve always got the human element, bypassing security features; but extra little hurdles like a password manager refusing to autofill an unknown url is at least one more opportunity for the user to recognize that something’s wrong and back away.
If you’re already used to manually typing in the auth details, you may not even notice you’re not on the site you were expecting.
Wait, what? How does autofill get fooled?
Someone manages to maliciously sneak username and password fields onto a site that store what is entered as soon as it’s typed. They don’t even have to be visible to the user and bitwarden will fill them in as soon as the page loads.
Bitwarden will only autofill if the domain matches.
Right, “maliciously sneak”, as in they’ve either gained access to make changes to the site ditectly, or they’ve found a way to inject their scripts to steal creds.
And how is that any different from not having a password manager?
Yes, if someone hijacks a domain they can get credentials intended for that domain. A password manager doesn’t make a huge difference here, because why would they make the site look any different than normal?
I guess you didn’t read most of the comment.