Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Tavis Ormandy (of Google Project Zero) has a pretty convincing post arguing that relying on browser extensions that modify the DOM (which includes [almost?] all password managers) is a bad idea: https://lock.cmpxchg8b.com/passmgrs.html

(he recommends using your browser's built-in password manager, which isn't as convenient but is much more secure)



It'd be ideal if browsers offered standard hooks into their password-filling mechanisms. Let the password managers volunteer "I know a password for this site!" and fill it through the browser's standard UI.

Basically, I want the browsers to implement something close to what Apple has for password management on iOS. Ideally go a bit further and expose hooks for creating/saving a new login, too.

Unless they already do this, and nobody has actually taken them up on using it?


That's an amazing idea! Do you know if any browser vendor has this concept even in the radar? It would be very cool that password managers were able to do that: manage passwords, and not have to deal with each browser's idiosyncrasies which if you think about it, is just a distraction from their actual mission of being a password storage.


I haven't heard any rumblings about it from browser vendors, unfortunately. Even Apple hasn't extended it to desktop-Safari, as far as I can tell.


iPhone does this already. You can choose from different password managers (I use built inn and and old version of 1P). So works on safari, but also other apps that I assume use some standard password field.


Now that you mention it, that would a fantastic idea; create an extension that exposes some sort of API that the browser can tap into to load suggested credentials for the current domain.


I guess it makes sense, but it's a very very unhelpful suggestion... we're painfully and slowly moving in the direction of teaching users how passwords are less and less useful as long as they are not random, so the ideal alternative is having all random passwords and using a vault that remembers them for us.

But this whole proposition totally breaks if I store my Amazon password in Chrome at work, and then later I cannot access it in Firefox at home, or the native app in my Android phone.


I only open the webui, log in, copy paste my usernames and passwords. I don't trust that my passwords are safe otherwise.


The clipboard is not exactly a secure channel. Browsers need to catch up to mobile and provide dedicated APIs for password managers to hook into so they don’t have to interact with the DOM.


I don't trust the safety of passwords going through my clipboard and me having to manually verify the URL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: