zlacker

Heh, you got me. A password manager is the ONE plugin I have installed in my profile that I use to access my banks.

Simply put, I trust the password manager. Recently, however, I have considered uninstalling that plugin and using only the desktop version of the password manager -- and then copy/pasting username/pw from the password manager to websites.

One reason I don't do that, though... is because having the password manager as a browser plugin guarantees (?) that the password it presents to me is for the site I am visiting. If I end up on a webiste with an IDN that was chosen very carefully to look like my bank's domain, my password manager plugin won't present me with a password -- which will trigger my paranoia.

If you can't tell, I wrestle with this decision pretty regularly...

>>emacdo+(OP)
Use the built-in browser password manager. It is safe and it only auto fills for the correct URL… exactly what you mentioned. You should be able to export from your current PW manager and import into the browser’s. Then turn on browser sync to make sure those passwords are available on all browser instances.

>>emacdo+(OP)
In Firefox you can change the "network.IDN_show_punycode" value to true, and you will no longer see lookalike UDN domains. It's a good point about using a browser password manager though, since they won't function on a lookalike domain and that should force you to stop and reassess, at which time you (hopefully) notice the scam.

>>TedDoe+46
This is the last thing I expected to see on HN but after reading this I have to ask - is it ever remotely safe? Asking for a friend.

>>nidnog+3T
Absolutely. Much safer than a browser extension (source: I’m an ex-Mozilla engineer)