Password managers automate checking the website address for you

January 17, 2021

I recently read Terence Eden's That’s not how 2FA works (via). In it, there's an insight I hadn't realized about what password managers do for you:

A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.

Let's rephrase this: password managers automate checking the website's URL. We all know that we should check the URL to make sure we're really on Github or Twitter or wherever before we enter our login and password, but we don't always do that and even when we try, humans are really bad at seeing the one exception in a thousand normal cases.

(Unless we're very lucky, we see what we expect to see and we expect to see the usual URL and website name. This is true even on browsers that still show the full URL instead of some shortened or abstracted version or a name from the TLS certificate.)

As part of remembering long passwords for you, password managers do the thing that computers are so good at; they automate this check so that it's always done and reliable. They also do it in the best way possible for this sort of security, because it's not an extra check, it's an inherent part of their password lookup. Since it's not an extra check, there's no 'are you sure you want to' option (that people will always say yes to) and it's easy to explain to people why they're not getting to log in to where they expect.

I hadn't thought of this aspect of password managers before now. I'd always thought of them just as a way to remember my long random passwords, without associating this with verifying the website.

(Well, every so often I got reminded of the website matching side, on the rare occasions that websites changed their login subdomain and procedure so much that my browser's memorized passwords no longer matched and I had to fix it. But websites seem to do that much less these days, perhaps because so many people are using password managers and so get irritated at websites that break them.)

Written on 17 January 2021.
« One reason to not trust SMART attribute data for consumer drives
Where Firefox's text encoding menus are »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 17 23:10:33 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.