>Are we really running URL-unaware password managers in the year 2026?
URL-aware browser plugins for autofilling passwords can also make people _more_ susceptible to phishing.
The password managers plugins sometimes not working correctly changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected for legitimate websites. If that happens enough, it inadvertently trains sophisticated computer-literate users to lower their guard when encountering true phishing websites in the future. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643
Password browser plugins being imperfect can simultaneously increase AND decrease security because of interactions with human psychology.
Even if autofill breaks, the moment it does, if you're security aware, is to actually read the URL you're at, not start copy-pasting like it's the wild west.
> autofilling passwords can also make people _more_ susceptible to phishing
No, it doesn't. What it does, is generally make people _less_ susceptible to phishing, but the moment you stop paying attention when autofill breaks, is the moment you can STILL get phished. But in 90% of the cases, the autofill will HELP you avoid getting phished.
What an absolutely bananas thing to say, that autofilling passwords make people more susceptible to phishing, completely wrong and borderline harmful to spread things like this.
It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)
> The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero
The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.
That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.
And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.
I never said someone should not use a password manager.
I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.
The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.
I don't think your other comment supports your assertion. I've experienced Bitwarden failing to auto-fill due to quirks on websites, but I've never seen it fail to identify the domain correctly.
You link to Bitwarden's issues mentioning autofill and while it's true that autofill might break, if you click on the extension icon it's going to present you with a list of credentials for the current domain and give you options to quickly copy the username and password to your clipboard.
If that list is empty then I'm immediately put on high alert for phishing, but so far it's always been due to the website changing its URL/domain. I retrace my steps, make sure I'm on the right domain, then I have to explicitly search for the old entry and update it with the new URL.
That said, I've seen people do: Empty account list -> The darn password manager is misbehaving again -> Search and copy the password. I wouldn't consider those people to be sophisticated users since they're misunderstanding and defying the safety mechanisms.
Wrong. If my password manager doesn't auto-fill I'm am immediately far more wary. If I didn't have any URL matching in the password manager then I would very quickly stop paying close enough attention to the URL because I'd have to do it too frequently.
>For some people, their work/job is just such a big part of their identity, that for them this is a problem.
That's only 1/2 of the dynamic. People also like to assign an identity to others.
For example, if I say, "I'm semi-retired." ... the follow-up question is always "Oh, so what did you do before that?" ... which is polite coded-speak for, "Did you inherit money or what work did you do for money that put you in the position to do that?"
People are naturally curious about your rough level of success, wealth, expertise, etc. Having a "no identity" stance isn't really a satisfactory answer for many listeners. They want to know more.
EDIT to replies: I do understand the harmless "small talk" aspect. I should've added more to re-emphasize the "people assigning identity" aspect.
Once I reply to the followup question with "Oh, I used to do consulting for finance" what then happens is others then introduce me as "And this is jasode -- he was a consultant for X". My ex-consultant life that I last did over 15 years ago is now part of a tagline/subheading associated with my name even though I never intended it.
The point is other people have this irresistible urge to "fill in the blank" with an identity -- especially an identity that is tied to how one earned money. I'm not complaining about this and it's just an observation of what humans naturally do.
It's also a low risk topic that can generate lots of follow up questions. It's regular small talk. Also, people here seem to downplay it, but doesn't it tell you a lot about a person what they do roughly half of their waking time? What they chose to do with their life? Sure, you're not your job or your career, but it's also a very normal part about getting to know someone and I'm not sure equating it to some way of gauging success levels is necessarily to right way to think about it.
>It's regular small talk. Also, people here seem to downplay it, but doesn't it tell you a lot about a person what they do roughly half of their waking time? What they chose to do with their life?
Having a natural ebb & flow to conversation is all true but that's not the issue. Let me restate it differently.
It's ok and natural to ask what people do/did for work. It's also natural to respond and share what was a significant aspect of their life.
The meta-observation is: others then like to compress whatever life narrative they hear into a "shorthand" or "identity" -- even if the recipient never intended it to be his/her identity. Several parent comments mention "their work being their identity is the problem". My point is that the identity we get tagged with is often outside of our control and we didn't create the problem of work being our identity.
My neighbors know me as the "ex-consultant". For that identity to change, I'd have to do something new that was significant enough to override that ... such as... get into another career, open a restaurant, become founder of a startup, etc.
How does one have "no identity related to their job"? Sometimes you can't unless one wants to be evasive about what one does to earn money.
> My neighbors know me as the "ex-consultant" … How does one have "no identity related to their job"?
The obvious answer is to have some other identifier that supersedes the job. Do you have some other interest or hobby that you spend your time doing? That you talk about all the time?
People get associated with their job because it’s probably the thing they spend the most time on and it’s also a common topic of conversation. If every time someone asked you about your job you said, “it’s good” and steered the conversation into a story about your latest epic ski trip, you’d probably be the “guy who skis” instead of the “ex-consultant”.
Situations like this work as a filter of sorts (If you’re so obsessed with measuring relative status/prestige that you want to reduce me to a job title, we’re probably not going to be friends?).
The fact that you’re neighbors with these people changes things. Maybe it’s a wedge into a Socratic discussion about how work isn’t and has never been your identity, where you come to some new and better mutual understanding.
But yeah it’s challenging. If people are so accustomed to viewing about themselves and others thru the conventional status/hierarchical lens… sometimes they can’t understand that it’s a lens and not reality.
You can often politely dodge probing questions about your employment. When someone, for the purpose of small talk, asks me what I do for a living I just say I'm an exotic dancer or a runway model. It's funny and breaks the ice a little. Then I'll ask them about their watch or something. If they insist "no, really, what do you do for a living??" I'll politely say I work with computers and again try to move on. Very rarely I'll get someone who won't drop it "come on, WHAT COMPANY???" and at that point I know they're really not interested in talking--they just want to stack rank me in terms of importance or salary or whatever and I politely dip.
In modern life, yes. I wonder if it was such a low risk topic as we moved towards the past? For example the fear of the stranger is something that is very common in past writing across a number of cultures. If you met a stranger and they said they were a soldier it would have different ramifications than if they said they were a baker. Also in smaller social groups that required the work of everyone to survive it was a way of measuring the resources available in said group.
It is not just about assigning identity to others.
I am probing for topics of mutual interest, or topics that make other people passionate, to learn more about them generally.
In some people, this is completely orthogonal to their careers, but most of the time, there is an overlap. Like, I haven't yet met a railway engineer who wasn't a raging railway nerd at the same time.
> People are naturally curious about your rough level of success, wealth, expertise, etc.
I definitely find this more true in some cultures. e.g. silicon valley, it seems people want to know where you're at on the "hierarchy". Many parts of Asia too, you get treated differently if you're a low level worker, regular worker, executive etc.
The repo should mention a warning about usage. Be aware that downloading large playlists with lots of videos from Youtube can get your ip address throttled/banned. The ban could last a week or a month.
It's also not a good idea to use "--cookies" unless you absolutely have to. Just leave out the cookies option and try to dl anonymously. Only when Youtube forces your ip address to "sign in" is it necessary to pass in cookies.
Exactly. There’s been account ban reports from it too. Id be very careful if it’s your normal google account that’s tied to YouTube. Always use a burner account when using the cookies param to be safe.
EDIT add: A lot of home users also like Ubiquiti ecosystem for local recording security cameras without a cloud subscription. Another competitor like Reolink with local capability also doesn't support IPv6: https://support.reolink.com/hc/en-us/articles/900000645446-D...
The practical home usage of deploying IPv6 depends on combination of the ISP, the devices you want to use, software stack, etc.
He recently passed away a few months ago in August 2025. That's one of the few HN threads I bookmarked because he had a contrarian opinion that I agreed with.
Thanks for the link, that was illuminating, and it confirms feelings I expressed in reply to a sibling comment above. I find bound TFA and "The Deathbed Fallacy" glibly dismissive and ultimately misguided.
The submitted title is missing the salient keyword "finally" that motivates the blog post. The actual subtitle Raymond Chen wrote is: "C++ says “We have try…finally at home.”"
In other words, Raymond is saying... "We already have Java feature of 'finally' at home in the C++ refrigerator and it's called 'destructor'"
To continue the meme analogy, the kid's idea of <X> doesn't match mom's idea of <X> and disagrees that they're equivalent. E.g. "Mom, can we order pizza? No, we have leftover casserole in the fridge."
So some kids would complain that C++ destructors RAII philosophy require creating a whole "class X{public:~X()}" which is sometimes inconvenient so it doesn't exactly equal "finally".
> So some kids would complain that C++ destructors RAII philosophy require creating a whole "class X{public:~X()}" which is sometimes inconvenient so it doesn't exactly equal "finally".
Those figurative kids would be stuck in a mental model where they try to shoehorn their ${LanguageA} idioms onto applications written in ${LanguageB}. As the article says, C++ has destructors since the "C with Classes" days. Complaining that you might need to write a class is specious reasoning because if you have a resource worth managing, you already use RAII to manage it. And RAII is one of the most fundamental and defining features of C++.
It all boils down to whether one knows what they are doing, or even bothers to know what they are doing.
> Ok, but sometimes you just need a single line in a finally and writing a class is more annoying
I don't think you understand.
If you need to run cleanup code whenever you need to destroy a resource, there is already a special member function designed to handle that: the destructor. Read up on RAII.
It somehow you failed to understand RAII and basic resource management, you can still use one-liners. Read up on scope guard.
If you are too lazy to learn about RAII and too lazy to implement a basic scope guard, you can use one of the many scope guard implementations around. Even Boost has those.
So, unless you are lazy and want to keep mindlessly writing Java in ${LANGUAGE} regardless it makes sense or not, there is absolutely no reason at all to use finally in C++.
Slightly more than that: If you need to run cleanup code, whatever needs cleaned up should be a class and do the cleanup in the destructor.
Take a file handle, for instance. Don't use open() or fopen() and then try to close it in a finally. Instead, use a file class and let it close itself by going out of scope.
Yeah it's a huge mistake IMO. I see it fucking up titles so frequently, and it flies in the face of the "do not editorialise titles" rule:
[...] please use the original title, unless it is misleading or linkbait; don't editorialize.
It is much worse, I think, to regularly drastically change the meaning of a title automatically until a moderator happens to notice to change it back, than to allow the occasional somewhat exaggerated original post title.
As it stands, the HN title suggests that Raymond thinks the C++ 'try' keyword is a poor imitation of some other language's 'try'. In reality, the post is about a way to mimic Java's 'finally' in C++, which the original title clearly (if humorously) encapsulates. Raymond's words have been misrepresented here for over 4 hours at this point. I do not understand how this is an acceptable trade-off.
Submissions with titles that undergo this treatment should get a separate screen where both titles are proposed, and the ultimate choice belongs to the submitter.
Personally, I would rather we have a lower bar for killing submissions quickly with maybe five or ten flags and less automated editorializing of titles.
While I disagree with you that it's "a huge mistake" (I think it works fine in 95% of cases), it strikes me that this sort of semantic textual substitution is a perfect task for an LLM. Why not just ask a cheap LLM to de-sensationalize any post which hits more than 50 points or so?
A better approach would be to not so aggressively modify headlines.
Relying on somebody to detect the error, email the mods (significant friction), and then hope the mods act (after discussion has already been skewed) is not really a great solution.
It has been up with the incorrect title for over 7 hours now. That's most of the Hacker News front-page lifecycle. The system for correcting bad automatic editorialisation clearly isn't working well enough.
Oh, come on man! These are trivial bugs. Whoever noticed it first should have sent the email to the mods. I did it before i posted my previous comment and i now see that the title has been changed appropriately.
Presumably nobody informed the mods (before i did) and it was very early in the morning in the US (assuming mods are based in the US). That would explain the delay.
Anyway, going forward, if anything like this happens again folks should simply shoot an email immediately to the mods and if the topic is really interesting deserving of more discussion they can always request the mods to keep the post on the frontpage for a longer time period via second-chance pool etc.
It just takes a minute or two of one's time and hence not worth getting het up over.
It would be easier for everyone involved, and not depend on mods being awake, if HN didn't just automatically drastically change the meaning of headlines.
Again, this post was misrepresenting Raymond's words for over 7 hours. That's most of its time on the front page. The current system doesn't work.
This is the first time i have seen the auto-editorializing algorithm make a mess of the semantic meaning of a sentence which is certainly unfortunate. In most other cases (which are quite rare btw) it is generally much more benign. I presume the mods will be taking another look at their algorithm.
However, given the ways people try to influence the content on HN via title, language, brigading etc. it is good that the algorithm be strict rather than loose to prevent casual gaming of the system. And it works quite well contrary to your claim.
It's rare to see the mangling heuristics improve a title these days. There was a specific type of clickbait title that was overused at the time, so a rule was created. And now that the original problem has passed, we're stuck with it.
I intentionally shortened the title because there is a length limit. Perhaps I didn't do it the right way because I was unfamiliar with the mentioned meme. Sorry about that.
I'm curious about the actual origin now, given that a quick search shows only vague references or claim it is recent, but this meme is present in Eddie Murphys "Raw" from 1987, so it is at least that old.
Edit: A deep research run by Gemini 3.0 Pro says the origin is likely to be stand-up comedy routines between 1983–1987 and particularly mentions Eddie Murphy, and the 1983 socioeconomic precursor "You ain't got no McDonald's money" in Delirious (1983) culminating in the meme from in Raw (1987). So Eddie might very well be the original origin.
URL-aware browser plugins for autofilling passwords can also make people _more_ susceptible to phishing.
The password managers plugins sometimes not working correctly changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected for legitimate websites. If that happens enough, it inadvertently trains sophisticated computer-literate users to lower their guard when encountering true phishing websites in the future. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643
Password browser plugins being imperfect can simultaneously increase AND decrease security because of interactions with human psychology.
reply