Does a domain-bound password also protect against phishing and AiTM?

About
Resource
Improve
Does a domain-bound password also protect against phishing and AiTM?
Phishing and AiTM attacks succeed because a stolen password also works on the legitimate website. MindYourPass calculates the password based on the registered domain, ensuring that phishing sites automatically receive a different password. This prevents a successful login and, consequently, a hijackable session.
Rick Swinkels
Commercial Lead
Resource
Improve
Does a domain-bound password also protect against phishing and AiTM?
Phishing and AiTM attacks succeed because a stolen password also works on the legitimate website. MindYourPass calculates the password based on the registered domain, ensuring that phishing sites automatically receive a different password. This prevents a successful login and, consequently, a hijackable session.
Rick Swinkels
Commercial Lead

Start making vulnerable passwords impossible today

Thank you for your request! We will contact you within 1 business day.
Please fill in all fields before submitting the form

In short: Phishing and Adversary-in-the-Middle (AiTM) attacks work because a stolen password remains valid on the actual website. With MindYourPass, the password is calculated based on the domain name being visited, meaning a phishing domain automatically generates a different password than the legitimate one. Without a valid password, no successful login can occur, and without a login, there is no session cookie for an attacker to hijack. This provides strong protection against classic phishing and most reverse-proxy AiTM attacks—as part of a layered security approach, since no single measure covers every conceivable attack scenario. Read on to find out why.


Phishing remains one of the most successful methods for account takeover. Verizon research shows that the human factor, including phishing and social engineering, played a role in a large portion of all data breaches analyzed in 2025. While attackers used to primarily try to trick users into revealing their passwords, they are increasingly using so-called Adversary-in-the-Middle (AiTM)attacks. Security researchers have recently noted a sharp increase in this type of reverse-proxy attack, partly because off-the-shelf AiTM phishing kits are becoming more accessible. These attacks attempt to intercept not just a password, but the entire authentication process between the user and the website.

That raises a logical question:

If a password depends on the website you are logging into, does that also protect against phishing and AiTM?

The short answer is: yes, in many cases it does. To understand why, it is important to first look at how traditional passwords work.

Traditional passwords

With a traditional account, you choose or generate one password for a website. That password remains the same until you change it.

Suppose you have an account at:

https://bank.nl

and your password is:

MySecretPassword123

If you accidentally visit a phishing website such as:

https://bank-login-secure.com

and if you enter the same password there, the attacker immediately has the password that can also be used to log in to the real website.

So the problem is not just that the password is intercepted. The problem is also that the same password is also valid on the real website.

A domain-bound password works differently

MindYourPass works on a different principle.

Instead of storing website passwords, they are calculated based on several factors. One of those factors is the registered domain name of the website.

The MindYourPass browser extension or mobile app automatically reads the domain name of the website the user is on. This domain name is one of the factors in the password calculation.

This creates a unique password for every website.

The password for:

bank.nl

is therefore always different from the password for:

bank-login-secure.com

even if all other factors remain identical.

If a different domain name is visited than the one for which an account was previously registered, MindYourPass treats this as a different website and automatically follows a different password calculation.

Why does this help against phishing?

Almost every phishing website uses a different domain name than the legitimate website.

For example:

Legitimate

https://bank.nl

Phishing

https://bank-login-secure.com

Because the domain name is part of the password calculation, a different password is automatically created.

Even if a user enters this password on the phishing website, the attacker does not have the password that belongs to the real website.

After all, the phishing domain only receives the password calculated for that specific domain.

The valid password for bank.nl is simply not generated.

That is a fundamental difference compared to traditional passwords.

And what about AiTM?

An Adversary-in-the-Middle (AiTM)attack goes a step further than a standard phishing website.

Instead of just showing a fake website, the attacker places a reverse proxy between the user and the actual website.

Schematically, it looks like this:

User
    │
    ▼
login-bank-secure.com
    │
    ▼
bank.nl

To the user, everything appears normal.

The proxy immediately forwards the entered data to the actual website and attempts to let the user log in successfully without them noticing.

With traditional passwords, this often works.

The real website accepts the login credentials and then issues a session cookie.

Because this cookie passes through the proxy, the attacker can copy it and hijack the session without needing the password again later.

This type of attack is precisely why multi-factor authentication (MFA) does not always provide the protection users expect: AiTM frameworks intercept the session after the MFA step, meaning a second factor on its own does not stop the attack.

Why does that work differently with a domain-bound password?

The crucial difference is that MindYourPass looks at the domain name where the user is actually located.

In the example above, that is:

login-bank-secure.com

Not:

bank.nl

Because the domain name is part of the password calculation, a password is calculated for login-bank-secure.com.

When the proxy subsequently attempts to use that password on bank.nl, the actual website will reject the authentication.

Therefore, no successful login occurs.

And without a successful login, no session cookie is issued.

In other words: the attack fails before a session can be established.

Difference from a traditional password manager

Modern password managers also offer significant protection against phishing.

Almost all well-known password managers check whether the domain name matches the website for which a password is saved. If the domain differs, they generally do not autofill the password.

The difference lies in the underlying approach.

A traditional password manager stores the password in an encrypted vault. The correct password already exists and can—depending on the password manager and the user's actions—still be looked up, copied, or manually entered.

MindYourPass works differently.

The system does not store the website password, but calculates it based on several factors, including the registered domain name.

If the visited domain name does not match the registered domain name, a different password calculation is performed for that website.

The password associated with the legitimate website is simply not calculated in that instance.

As a result, security shifts from an ex-post check ("does this saved password match this website?") to an inherent property of the password calculation itself ("a different password exists for this website").

And how does this relate to passkeys?

Anyone looking into phishing-resistant authentication will quickly come across passkeys (based on the FIDO2/WebAuthn standard). Passkeys are also frequently presented as the ultimate answer to AiTM, and for good reason.

A passkey is not about a password, but about a cryptographic key pair that is linked by the browser or operating system to the origin (the exact domain) for which it was created. If a phishing website tries to use a passkey created for a different domain, the browser refuses this before anything can be sent to the attacker. This makes passkeys highly resistant to phishing and AiTM.

The underlying principle of MindYourPass is similar: here, too, authentication is bound to the actual domain, meaning a phishing domain receives nothing of value. The main difference lies in the form:

  • Passkeys replace the password entirely with a key pair, stored by the device or browser. This requires broader support from the website or service itself, and for recovery and portability, users are often dependent on their operating system's ecosystem (e.g., Apple, Google, or Microsoft).
  • MindYourPass continues to work with a calculated password that is domain-bound. This makes it usable on virtually any website that accepts a standard password field, without the website itself needing to make any changes or support passkeys.

In other words: while passkeys replace the authentication method itself, MindYourPass applies the same principle of domain binding within the existing, universally supported password model. This makes it a practical alternative for situations where passkeys are not (yet) available or desirable everywhere.

It is worth noting that this does not have to be an "either-or" scenario. MindYourPass also supports managing passkeys alongside domain-bound password calculation. For websites that offer passkeys, a user can choose that strongest form of protection. For the many websites that do not (yet) support passkeys, the domain-bound password remains an equally phishing-resistant solution within the existing password model. This way, a user is not dependent on the pace at which individual websites roll out passkeys, yet remains consistently protected against phishing and AiTM.

Where protection has its limits

Domain binding is powerful, but it stands or falls on correctly recognizing the domain. A few situations are worth mentioning:

  • Look-alike domains (homograph attacks). An attacker can register a domain that looks identical to the naked eye but is technically a different domain (for example, by using different characters or subtle character swaps). For MindYourPass, this is simply a different domain, and therefore a different password is automatically calculated — exactly as intended. The risk here, therefore, does not lie in the password calculation, but in whether the user would have noticed the difference in the address bar themselves.
  • Compromised subdomains of the legitimate website. If a subdomain of the actual website is taken over by an attacker, it technically remains the same registered domain. Domain binding is therefore not an additional security measure against that specific scenario; this still requires proper server security by the website administrator themselves.

These are not shortcomings of the principle itself, but a reminder that domain binding is one highly effective layer within a broader set of security measures.

Does this mean AiTM becomes completely impossible?

No.

It is important to distinguish between different attack techniques.

A domain-bound password prevents an attacker from obtaining the valid password for the real website via phishing or a reverse proxy.

That is a powerful security layer.

But there are also attacks that do not rely on the password at all.

Consider, for example:

  • malware already present on the user's device;
  • browser or operating system compromise;
  • vulnerabilities in a web application;
  • theft of an already active session from the user's device.

In those situations, the point of attack is not the authentication, but elsewhere.

No password technique—including passkeys—can completely prevent such attacks.

An important distinction

It is often said that AiTM "steals sessions." That is correct, but only after a successful authentication has taken place.

With a domain-bound password, that successful authentication may not occur during a phishing or reverse-proxy attack, because a different password is calculated for the phishing domain than for the real domain.

No session is created without successful authentication.

And without a session, there is nothing to hijack.

Conclusion

By incorporating the domain name into the password calculation, a unique password is created for every website.

As a result, a phishing site can never obtain the same password as the legitimate website.

This not only provides strong protection against traditional phishing, but in many cases also prevents a reverse-proxy AiTM attack from establishing a valid session. After all, without successful authentication, no session is issued that can be hijacked.

This does not mean that all forms of account takeover become impossible. Attacks on the user's device, vulnerabilities in a web application, and edge cases such as compromised subdomains remain—just as with any other authentication method, including passkeys.

However, it does fundamentally change the approach to a major attack vector: the misuse of passwords via phishing or a reverse proxy. By cryptographically binding the password to the domain name, a password calculated for one website is simply unusable on another.

Sources: Verizon 2025 Data Breach Investigations Report; SpyCloud 2025 Identity Threat Report; KnowBe4 2026 Phishing Threat Trends Report.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

“Juist de collega’s die in het begin sceptisch waren, werden later de grootste ambassadeurs,”- addsadasd

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Get in touch with us.

Let MindYourPass make your organization safe.

Thank you for your request! We will contact you within 1 business day.
Please fill in all fields before submitting the form
Want to read more?
See other articles
More articles
The MindYourPass Solution

Log in securely with ease.
At home and at work.

Triple-i™ improvement method

De kluisloze wachtwoordmanager van MindYourPass

Met de wachtwoordmanager van MindYourPass maak je eenvoudig al je wachtwoorden ijzersterk en uniek. De wachtwoordmanager beheert jouw wachtwoorden, waarmee jij dagelijks kunt inloggen op al je accounts. Zonder dat jij je wachtwoorden hoeft in te typen. Dat doet MindYourPass voor je.

Learn more about Triple-i™

Learn more about cybersecurity

See all articles
Hulpartikel
The shame following a phishing attack is unjustified
Hulpartikel
"We hebben SSO voor alle applicaties." Dit is waarom dat in praktijk zelden klopt.
Hulpartikel
Eigen digitale hygiëne een worsteling, zelfs voor security-professionals
Resource
MindYourPass launches updated dashboard with real-time insight into identity risks