Why Your Strongest Password Still Can't Survive a Phishing Attack

A guy I used to work with had a password I genuinely admired. Twenty-six characters, mixed case, three symbols, no dictionary words, rotated every ninety days like clockwork. He'd recite its entropy at parties the way other people brag about their deadlift. And one grey Tuesday he typed all twenty-six glorious characters into a login page that was not, in fact, his bank. It looked exactly like his bank. It had the padlock. It had the logo. It just wasn't his bank, and within four minutes someone in a different timezone was wiring his savings somewhere warmer. His password was perfect. It didn't matter even slightly.

This is the part of security nobody wants printed on the box. We spent two decades drilling people on password strength as if the strength of the password were the thing being attacked. It almost never is. Nobody is sitting in a basement guessing your password one character at a time while a progress bar fills up. That's a movie. In real life the attacker just asks you for it, very politely, on a page that looks legitimate, and you hand it over because you're a busy human and the page looked right. The strongest password in the world and the worst password in the world arrive at the attacker's server in exactly the same condition: typed, complete, and useless to you forever.

Phishing doesn't crack your password. It collects it.

Let's be precise about what's actually happening, because the mental model most people carry is wrong in a way that gets them robbed. When we say a password got "hacked," we picture brute force. But phishing isn't an attack on your password's complexity, it's an attack on your judgment, and your judgment is a far softer target than any string of characters. A phishing page doesn't need to defeat your password. It needs you to type it. From the attacker's perspective, your beautiful 26-character monster and the word "password1" are identical inputs into the same text box. The strength rating that your browser cheerfully showed you when you set it up is completely irrelevant the moment the destination is a lie.

And the lures have gotten good. Forget the Nigerian-prince emails with the spelling of a ransom note. Modern phishing arrives as a calm, well-designed message about a delivery you're actually expecting, or a payroll update, or a "we noticed a new sign-in" alert that triggers exactly the anxiety it's engineered to trigger. The link goes to a domain that's one Unicode character off, or a lookalike subdomain, or a freshly-registered name that won't trip any blocklist because it's six minutes old. You're not stupid for clicking. You're busy, the page is convincing, and the entire industry that builds these kits is specifically funded to beat the part of your brain that's paying attention. I've fallen for a test phish myself, while building an identity company, at 11pm, because I was tired and it mentioned an invoice. Tiredness has a 100% success rate against vigilance.

The reverse-proxy trick that eats your 2FA too

Here's where it gets genuinely nasty, and where a lot of "but I have two-factor!" confidence quietly dies. The newer phishing kits don't just show you a static fake page and harvest what you type. They run what's called an adversary-in-the-middle attack, AiTM for short. The fake site is a live reverse proxy. When you type your username, it forwards it to the real site in real time. The real site sends back a real password prompt, the proxy relays it to you, you type your real password, and the proxy passes it straight through. The real site, satisfied, asks for your one-time code. You read it off your authenticator app, you type it in, the proxy forwards that too. Everything works. You actually log in. You see your real account.

The catch is that the proxy was sitting in the middle the entire time, and the thing it really wanted wasn't your password or even your code. It wanted the session cookie the real site hands out after a successful login. That cookie is a backstage pass. Once the attacker has it, they don't need your password again, they don't need your code again, they can just be you for as long as that session lasts. This is why "I'd notice" doesn't save you. The login was real. The 2FA was real. You were the man in the middle's customer the whole time and the transaction looked perfectly normal from where you sat.

Notice what just happened to all our advice. Strong password? Forwarded. Authenticator code? Forwarded. Password manager? It might've helped, if it refused to autofill on the wrong domain, and a good one does. But people get conditioned. When the manager doesn't offer to fill, plenty of users just shrug, copy the password out manually, and paste it into the fake box themselves. The one piece of friction that could've saved them gets treated as a bug. I've watched it happen. We are remarkably good at defeating our own defenses when they're slightly inconvenient.

Why passkeys can't be phished, and I don't mean "are hard to phish"

This is the part that took me a while to fully believe, because "phishing-proof" sounds like marketing and I've shipped enough marketing to be suspicious of it. But the phishing resistance of passkeys isn't a policy or a warning or a clever heuristic that guesses whether a page looks dodgy. It's baked into the cryptography, and it's the reason I bet a company on this. A passkey is a pair of keys: a private one that never leaves your device, and a public one the website stores. When you log in, the site sends a challenge, your device signs it with the private key, and the site verifies the signature with the public key. Nothing reusable ever crosses the wire. There's no secret to type, so there's no secret to hand over.

And here's the piece that kills phishing dead: the signature is cryptographically bound to the domain that requested it. Your device records which website a passkey belongs to when you create it, and it will only sign a challenge for that exact origin. So when you land on a pixel-perfect clone at a lookalike domain, your device doesn't get fooled by the logo or the padlock or the panic in the email, because your device isn't reading any of that. It checks the actual origin, sees it doesn't match the passkey, and simply won't sign. There's no prompt to override, no "are you sure," no manual copy-paste escape hatch. The fake site asks for a signature and gets nothing, because the math refuses. The reverse-proxy trick falls apart for the same reason: the proxy is on the wrong domain, so the passkey won't produce a signature for it, and there's no reusable cookie-grab to fall back on because the whole flow never completes. This is the model we built Paswad on, and it's why I sleep better than I used to.

I want to be honest that this isn't magic and passkeys don't make you invincible. Social engineering still exists, recovery flows can be attacked, and a determined adversary can come at your accounts from angles that have nothing to do with login. But the single most common, most scalable, most lucrative attack on the internet, the one where someone tricks you into typing a credential into a page that isn't real, that attack stops working. Not "becomes harder." Stops. You can't phish a secret that was never typed and can't be replayed on the wrong domain. After years of telling people to make longer passwords, it turns out the winning move was to stop having a thing worth stealing in the first place.

So what do you actually do about it

If you take nothing else from this: password strength is not your defense against the attack most likely to hit you, so stop treating the strength meter as a security score. Turn on passkeys wherever a service offers them, especially for the accounts that gate everything else, your email and your password manager first, because those are the master keys to your whole life. Keep using a password manager for the long tail of sites that haven't caught up yet, and actually respect it when it refuses to autofill on a domain, because that refusal is information, not an error. And the next time a "urgent security alert" wants you to log in right now, breathe, and go to the site yourself instead of through the link. Your tired 11pm brain will thank your slightly-less-tired self.

FAQ

If my password is long and unique, am I safe from phishing?

No. Phishing doesn't crack your password, it collects it. A 26-character password and "password1" land in the attacker's hands in exactly the same way once you type either into a fake page. Length and uniqueness protect you against guessing and database leaks, which matter, but they do nothing against a convincing fake login page.

Doesn't two-factor authentication stop phishing?

It raises the bar but it doesn't close the door. Adversary-in-the-middle phishing kits run as live reverse proxies that relay your password and your one-time code to the real site in real time, then steal the session cookie. SMS and app-based codes can all be forwarded this way. Phishing-resistant methods like passkeys are the exception because they're bound to the domain.

Why can't a fake site just steal my passkey the way it steals a password?

Because there's nothing transferable to steal. Your passkey's private key never leaves your device, and the login works by signing a one-time challenge rather than sending a secret. The signature is bound to the legitimate domain, so on a lookalike site your device simply refuses to sign. No secret crosses the wire, so there's nothing to harvest.

Should I still use a password manager if I'm switching to passkeys?

Yes, for now. Most password managers also store and sync passkeys, and plenty of sites still only support passwords, so you'll live in a mixed world for a while. The manager's habit of refusing to autofill on the wrong domain is also a genuine phishing safeguard, as long as you don't override it by copying and pasting manually.