Hacker News new | past | comments | ask | show | jobs | submit login

Absolutely. Which is why I think we still have a lot of work ahead of us, making users actually check the domain name, and the validated identity (for EV certs).



Having them use a passsword manager is a better apporach. Checking the domain name is weak to keming probiems.


...and password managers are weak to lots of problems [1], the least of which is malware stealing your password container plus the master key [2].

I'm still leaning towards the password manager side of the dilemma, but the situation isn't great on either.

[1] https://twitter.com/taviso/status/769378052254015488

[2] http://arstechnica.com/security/2014/11/citadel-attackers-ai...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: