zlacker

[parent] [thread] 7 comments
1. panark+(OP)[view] [source] 2023-02-24 02:59:58
Do you use a password manager? Do you visit websites for banks or brokerage firms?

If so, how do you ensure that none of these plugins and extensions steal your data?

replies(3): >>emacdo+D1 >>webmob+Qm >>sirius+OM
2. emacdo+D1[view] [source] 2023-02-24 03:14:05
>>panark+(OP)
Heh, you got me. A password manager is the ONE plugin I have installed in my profile that I use to access my banks.

Simply put, I trust the password manager. Recently, however, I have considered uninstalling that plugin and using only the desktop version of the password manager -- and then copy/pasting username/pw from the password manager to websites.

One reason I don't do that, though... is because having the password manager as a browser plugin guarantees (?) that the password it presents to me is for the site I am visiting. If I end up on a webiste with an IDN that was chosen very carefully to look like my bank's domain, my password manager plugin won't present me with a password -- which will trigger my paranoia.

If you can't tell, I wrestle with this decision pretty regularly...

replies(2): >>TedDoe+H7 >>tombro+1j
◧◩
3. TedDoe+H7[view] [source] [discussion] 2023-02-24 04:14:37
>>emacdo+D1
Use the built-in browser password manager. It is safe and it only auto fills for the correct URL… exactly what you mentioned. You should be able to export from your current PW manager and import into the browser’s. Then turn on browser sync to make sure those passwords are available on all browser instances.
replies(1): >>nidnog+GU
◧◩
4. tombro+1j[view] [source] [discussion] 2023-02-24 06:02:25
>>emacdo+D1
In Firefox you can change the "network.IDN_show_punycode" value to true, and you will no longer see lookalike UDN domains. It's a good point about using a browser password manager though, since they won't function on a lookalike domain and that should force you to stop and reassess, at which time you (hopefully) notice the scam.
5. webmob+Qm[view] [source] 2023-02-24 06:44:57
>>panark+(OP)
Not OP. My solution is to use a different browser in private browsing mode. Both Windows and macOS now come with a default browser pre-installed. I use that for any financial transactions - banking, paying bills, shopping etc. I totally avoid password managers. Using phrases is a simple way to create strong and easy to remember passwords. Eg. "This is a Good Password for #2013!".
6. sirius+OM[view] [source] 2023-02-24 10:58:40
>>panark+(OP)
I use banking and other sensitive sites in a separate browser profile with no extensions installed. On Mac, that would be something like "open -a "Google Chrome" --args --profile-directory=secure" and on Linux "google-chrome --profile-directory=secure".

For the rest of the web in my Default browser profile, I do have ad-blocker extensions installed (uBlock Origin, some Violentmonkey scripts), but they're not linked to the Chrome store. I prefer loading them as unpacked extensions and updating them once in a while manually. Mainly in case some malicious actor takes control of these extensions pushes an update that does something wild.

◧◩◪
7. nidnog+GU[view] [source] [discussion] 2023-02-24 12:17:13
>>TedDoe+H7
This is the last thing I expected to see on HN but after reading this I have to ask - is it ever remotely safe? Asking for a friend.
replies(1): >>TedDoe+Io1
◧◩◪◨
8. TedDoe+Io1[view] [source] [discussion] 2023-02-24 15:42:56
>>nidnog+GU
Absolutely. Much safer than a browser extension (source: I’m an ex-Mozilla engineer)
[go to top]