Check my reasoning

[Alan Karp]

Related to security but not capabilities, so feel free to skip.

One of the sites I use to test SitePassword puts the login form in a popup page.  I believe my approach, described below, avoids a potential phishing attack.  Am I right?

--------------
Alan Karp

---------------------------

Creating an account at semanticscholar.org illustrates another of SitePassword’s anti-phishing features.  When you sign up with email, the page opens a popup window with just an address bar.  These popups are often used in browser-in-the-browser phishing attacks.  

Extension icons don’t show up in such windows, preventing password managers from filling in the password.  Bitwarden, for example, tells you to paste your password into the form, which sends your password to the adversary.

SitePassword takes a different approach.  When it detects a popup page with a password field, it tells you to paste the URL into a new tab.  If you are tricked into using the fake URL provided by the attacker, you will open the site’s actual page.  If you use the URL of the phishing site, you will get the SitePassword phishing warning.  In either case, your password is safe.