Phishing and password managers — what they protect and what they don't

Password managers are frequently recommended as phishing protection. The recommendation has real substance: a password manager that autofills only on exact URL matches will not autofill your banking credentials on bank-of-america-secure-login.evil.com, even if a human eye might not immediately spot the mismatch. This is a genuine anti-phishing benefit that browser-stored passwords and human memory both fail to provide.

But password managers are not phishing-proof. They protect you from one specific failure mode — entering real credentials on a convincing lookalike domain. They do not protect you from entering fake credentials on a real phishing site, from phishing that doesn't target passwords at all, or from social engineering that bypasses the login form entirely.

Understanding where a password manager helps and where it doesn't changes how you use it. Trusting autofill over your own judgment is the right approach for domain-substitution phishing. It is not the right approach for everything that looks like a login form.

The assumption 'my password manager will warn me if a site is fake' overstates the protection. Password managers warn by not autofilling — the absence of an autofill prompt is the signal. Users who have grown accustomed to autofill sometimes override this signal by manually looking up the credential in the vault and pasting it. The protection is only as good as the user's willingness to treat 'no autofill' as a stop signal rather than an inconvenience to work around.

A second assumption is that HTTPS certificates validate site authenticity. A phishing site can and commonly does have a valid HTTPS certificate. The padlock in the browser address bar confirms that the connection is encrypted; it does not confirm that the site is operated by who you think it is. The domain in the address bar is the correct thing to verify, not the padlock's presence.

A third assumption is that phishing is always about stealing passwords. Many contemporary phishing campaigns target session tokens, MFA codes, or OAuth authorisation flows rather than username/password pairs directly. Adversary-in-the-middle (AiTM) phishing, which captures session cookies rather than credentials, is not defended against by domain-matching autofill. A password manager correctly not autofilling on a lookalike domain does not prevent a user from entering a one-time code that the attacker then uses to capture the session.

Password managers provide reliable protection against one specific phishing pattern: sites that use lookalike domains to trick users into entering real credentials. Bank-0famerica.com, paypa1.com, amazon-secure-signin.net — the autofill will not activate on these if your real bank or retailer credential is saved under the correct domain. This protection works without user judgment and is consistently reliable.

Password managers do not provide meaningful protection against: social engineering attacks that don't involve a login form; MFA prompt bombing, where an attacker with stolen credentials triggers repeated authentication requests hoping the user approves one; AiTM phishing that captures session tokens; or phishing attacks where the site correctly uses the real domain through a subdomain hijack or compromised legitimate site. These are distinct attack vectors that require different defences.

The strongest phishing protection combines password managers (for credential autofill on correct domains) with hardware security keys (FIDO2 keys perform origin-bound cryptographic verification, making credential theft on lookalike domains impossible even if the user manually enters credentials) and scepticism about any unsolicited communication requesting action. Hardware keys are the layer that addresses what autofill domain-matching cannot.

Phishing techniques evolve. The autofill protection described here addresses domain-based phishing; browser isolation, content filtering, and security awareness training address a broader set of social engineering attacks. Password managers are one layer, not a complete anti-phishing solution.