A lot of current “best industry practices” - including the ones described - are grossly negligent. It also moves the burden of proof of responsibility for a security incident more in my direction - while providing me less and less means to prevent it.
With the iframe example - I nowadays typically can’t see if I enter my credentials (including potential 2FA to unlock a session) into a form belonging to my bank, or some malicious 3rd party without going into developer settings. That’s not acceptable.
There’s no good reason for a modern browser even allow this - just as there’s no good reason for allowing to load script files from arbitrary domains. But we now have the situation where the business model of the main browser developer depends on not stopping that kind of behaviour.
So what I want is that putting design over sensible security choices gets expensive for companies - and I’m not interested in adding some band-aid reducing their risk while this is not the case.
The only online accounts I care about are my bank accounts - for those I’m using hardware dongles for TAN generation instead of the shitty Android app their pushing (which would allow transactions without external auth, due to some “trusted device” nonsense). Everything else can either be replaced, or is on my own infrastructure.
Yeah, I assumed you meant the master password to the password manager.
Still, that falls under the duty of the page I’m visiting to keep their stuff secure - and while I’m very unhappy about some recent practices¹ I’d more for documenting and battling it out in court, if necessary.
¹ My browser configuration used to prevent 3rd party iframes or similar constructs for entering passwords - unfortunately in recent years some idiots decided that’s good design, so more and more often you nowadays have to allow embedding third party components without it being visible where it comes from.
Even worse, quite often credit card verification or other payment forms get embedded the same way. Until a few years ago my bank was throwing errors in their forms when they got embedded this way, but unfortunately they caved in to the general idiocy out there, and allow that nowadays.
You’re describing a shitty password manager.
In my case I have a local copy of the encrypted password database, and my master password unlocks the encryption key for that, which is stored in a hardware dongle. Browsers and other high risk software are running isolated and have no access to the encrypted password database or the hardware dongle.
I mainly see two factor authentication as a way for service providers to be lazy about account protection on their side, which they try to outsource to me.
Telegram is not Russian. The founder is a Russian - who left Russia about a decade ago after being pushed out of his local Facebook clone (VK) due to not complying with government requests. They nowadays mostly seem to be in Dubai, but as a legal entity hard to locate due to a cat and mouse game they’re playing to avoid being reachable for authorities worldwide who want to enforce local laws.
Yep. We can discuss me using a second factor once they start designing their services better.
Payment on such sites is set to require approval via my bank (hardware token), I don’t care about the purchase history - so if somebody manages to breach the account and order something it’s entirely their problem, not mine. I’m aware they might close my account when confronted with that attitude, but I’m also fine with that.
My passwords are stored locally encrypted, with the encryption key stored in a hardware token. The browser doesn’t have access to that. That’s already more than a lot of sites are doing for their security…
That’s exactly why I treat any 3rd party service as throwaway.