Putting autofill aside, there's a couple of other concerns I have.
I still use 1Password, but without the browser extension. Ever since Tavis Ormandy set his sights on password managers, I have been a very sceptical user. (Obviously if you're a political dissident or a target of suspected corporate espionage or something then you'll take greater security precautions like not using a password manager at all for certain accounts - I'm just talking about normal users here.) That being said, the browsers and password managers that require the username and password fields to actually be genuinely visible to the user on top, non-transparent, in the viewport, are doing the right commonsense thing, and really that seems entirely good enough. Asking browsers and password managers not to autofill feels more like security theater at that point. If a site is vulnerable to XSS it's basically game over security-wise. If some site has an XSS vulnerability, then they've already got access to my session cookies, and have the ability to spoof a "you've been logged out, please log back in" screen where people could type in a password anyways. I get that this is a theoretical vulnerability, but there's no way I'm turning off automatic autofill.
0 kommentar(er)
