An interesting thing here is, I often don’t have my browser remember passwords. On my work laptop that’s company policy (but we use lastpass), on my personal laptop it’s a possibly-overly-paranoid (and inconsistently applied) defense against someone with access to my laptop (or e.g. to a backup of my files).
So I wasn’t surprised when the github login form didn’t autofill my password. (Even though I think github actually is saved.) If I had been surprised, I wonder if I’d have noticed.
This might be an example of “things which are in theory more secure might be less secure in practice”.
For logins such as Github, the trick is to have a password that’s complex enough that it’s only in the password manager and not in your brain, so you can’t be tricked into just typing it out.
Then, if the password doesn’t get filled, it’s about starting the password manager and letting the password manager fill it in.
I take it you mean “if the password manager doesn’t fill it in, that’s a sign you’re on the wrong site”? The password manager I use on my personal laptop isn’t integrated with my browser, so that wouldn’t have helped in my case, but yeah.
(I don’t use an integrated one partly because I’ve never properly looked into browser extensions. I don’t know what’s available and I haven’t thought about the tradeoffs.)
I do see integrating the password manager is important. Especially with a service like PayPal where it often happens that the side where you are shopping is opening a new window for PayPal it’s quite easy for it to give you a fake window.
An interesting thing here is, I often don’t have my browser remember passwords. On my work laptop that’s company policy (but we use lastpass), on my personal laptop it’s a possibly-overly-paranoid (and inconsistently applied) defense against someone with access to my laptop (or e.g. to a backup of my files).
So I wasn’t surprised when the github login form didn’t autofill my password. (Even though I think github actually is saved.) If I had been surprised, I wonder if I’d have noticed.
This might be an example of “things which are in theory more secure might be less secure in practice”.
For logins such as Github, the trick is to have a password that’s complex enough that it’s only in the password manager and not in your brain, so you can’t be tricked into just typing it out.
Then, if the password doesn’t get filled, it’s about starting the password manager and letting the password manager fill it in.
I take it you mean “if the password manager doesn’t fill it in, that’s a sign you’re on the wrong site”? The password manager I use on my personal laptop isn’t integrated with my browser, so that wouldn’t have helped in my case, but yeah.
(I don’t use an integrated one partly because I’ve never properly looked into browser extensions. I don’t know what’s available and I haven’t thought about the tradeoffs.)
I do see integrating the password manager is important. Especially with a service like PayPal where it often happens that the side where you are shopping is opening a new window for PayPal it’s quite easy for it to give you a fake window.