https://github.com/jswanner/DontFuckWithPaste
I hate sites that do that (or prevent right-click as if that somehow secures their code).
I _think_ that means it can send all of by passwords offsite, or do plugins need a separate permission to phone home?
https://security.stackexchange.com/questions/15259/worst-cas...
The plugin's code is probably quite short - maybe you could inspect it yourself, manually?
It's a bit disappointing that Chrome doesn't let you sandbox things well enough to install plugins safely; there's no reason that plugins should be allowed to transmit data without asking for permission.
[1]: https://developer.chrome.com/extensions/getstarted [2]: https://github.com/jswanner/DontFuckWithPaste
This ties in to the discussion of Craig's List the other day. It is so refreshing to use a site that doesn't try to be clever. I understand if people find it ugly, but I don't - simple is good, and I don't care if sites follow whatever design trend is hot this week. Usability is far more important.
I think that option is going to greatly constrain where you are able to go on the web. The vast majority of ecommerce sites I visit will break with JS completely turned off.
At one point, I built a sortable filterable table for an admin UI, using React. One of the admins was a "no js" guy, and he thanked me for building the whole thing in functional HTML. Up until that point, I had no idea that the admin side of the system was even usable without JS; that was just a natural consequence of optimizing for SEO and load speed (server side rendering, URL representation for all significant state).
My experience is, that while ecommerce sites may break, most of them are quite usable even without JS.
Most good blogs work just fine. And the ones that don't I usually don't bother reading.
I roughly use OpenStreetMap 80% of the time, Bing 5% and Google Maps 15%.
Looking up where an address is? OSM. Routing? OSM. Opening hours for places I go semi-regularly (but not often enough to remember them)? OSM (I put them in myself). Footpaths, caves, info on towers (like GSM/3G), public transport routes, etc.? OSM.
Aerial imagery? Bing (much faster than Google Maps).
Traffic info? Google Maps (I'm still casually looking for alternatives). Searching a shop? Google Maps.
In the Netherlands OSM is of equivalent quality in some categories (road network, addresses), better quality in others (trails, meta info about towers or cave entrances or so), or worse in yet other categories (information about businesses, at least outside of city centers).
I don't use Google services in my personal life. (I have less control over vendors at work.)
I also use extensions to enable them on certain sites. Just tap the extension icon and it will reload with JS enabled.
You'd be surprised how fast webpages load without JS
So basically you don't use 80% of the internet because the occasional site annoys you?
Do you also cut off your hands when you get dirt on them???
People have been saying this since like 2000's, and the more advanced JS websites get, the more cringeworthy this comment gets. It's 2017, just fucking leave javascript on and use ghostry + ublock origin.
1.) typing it out manually while you can't see if you made a mistake
2.) using developer tools to set the 'value' attribute directly
"SPP" discourages use of a password manager. End of story. I also see this pattern used on banking websites for inputs like an account number. This drives me crazy as well for the same reason. The computer can get it right more reliably than my eyes and fingers.
Whenever I see a website that blocks paste I immediately assume it's built by incompetent people and trust it with as little as possible.
Only works with Internet Explorer
Doesn't work with Internet Explorer
Password must have one of 4-10 special characters, but not other special characters. (e.g.: Must contain !, @, ^, &, or parentheses, but not ;, ", etc)
Passwords have no requirements
Right-click is disabled
Video plays as soon as the site loads
Share buttons that use javascript to follow the viewport
Share buttons that pop up over every single image
"Want to see more" when you move the mouse to the top of the screen (Or reach the bottom of the page) (or as soon as the page loads)
Slideshows of any sort
Except.. it can only be 8 characters long. Anything else gets truncated (they explicitly said so). The mind boggles.
I have no idea where this limitation comes from, do people just set an 8 character field in their database? Was this a problem decades ago that they figured they'd save a few megabytes of storage space?
I think they've finally changed it so that the reset period is determined on your password complexity, no length limitations, and you can have 2FA (or at least mobile password reset).
I made a saas tool for mac developers. Fixing all the quirks would cost far more than the potential 2% users are worth to me.
Slideshows - you mean even embeded Slideshare ones? Why? It's a good tool to explain certain ideas, and easily shareable one. We had our slides embeded on a TC post, and we used them as a significant source of traffic.
I forget the term I did this with openssl, Apache, I think with a cheap vps I get between 9 and 10 cost, bcrypt. Sorry if these are not directly related for hashing.
A few sites I have to use for my dishwashing job work ie. share point and a card company that manages my money, as well as another by WalMart, they don't allow special characters only upper case-lower case and digits. You'd think okay length then but some have limits like a 15char limit.
Some of us just can't be bothered. My web app is tested on Chrome, Firefox, and Edge. If you want to use IE you are on your own and I won't support you unless you give me a million dollars.
However; I worry that this is a very BIG assumption.
Even in my IT-literate circles password management usage is low.
In my non-IT circles it is non-existent, and not because of SPP particularly; I suspect SPP (which I agree is silly) derived from an understanding that allowing an average person to paste passwords meant they stored them in passwords.txt on their desktop.
Naturally the population here is technical so it can be hard to see that as a common and sensible thought process. But never underestimate the capacity of the average person (who's IT capability you and I don't represent) to make mistakes like this and never see the problem/risk.
It's odd that the article explicitly mentions this near the start but then doesn't address it in the Justifications section.
That's a significantly better practice than using the same easy-to-type password on every site, isn't it?
But that is password management, it's just crap password management.
There's certainly an argument that a plaintext-on-desktop stored list of high-entropy passwords is better than a single in-(human)-memory low-entropy password. With the recent wannacrypt reminder, that argument's slightly diminished, though.
I think the highest impact (i.e. fn of quick/low effort, high reward) suggestion to non tech-literate folk is to use 2FA on their email account. I like and usually suggest Authy, mainly because it's available as a Chrome app too whereas e.g. Google Authenticator is just on Android/iOS. (I assume it's clear, but email account as opposed to something else since it's so near universally treated as the fallback option.)
That's a good base for them to start using 2FA everywhere else it's possible, too.
You are forked if your manager is ever compromised. It's only a matter of time until a major breach happens with a popular password manager.
For sites that disable pasting, I have developed quite a skill at copying the password character by character from my PM into the password field. I'm even starting to remember a couple of them.
Incredibly frustrating.
For Firefox, setting the "dom.event.clipboardevents.enabled" about:config option to false prevents clipboard paste events from reaching javascript. No more blocked pasting after you toggle that option, even if the website attempts to do so.
My password manager also clears the clipboard if it is equal to the last password copied after a wile (I've never timed it).
The AppleScript in question is very simple, it just looks like
on alfred_script(q)
tell application "System Events" to keystroke q
end alfred_scriptThis makes me wonder about the personal security practices of the team that built it -- it's unlikely they typed strong passphrases hundreds of times a day during development -- and whether a secure site could come from such a team.
There are regulatory bodies that require regular challenge of user identity for approving items as sort of a signature mechanism. This is another time where active thwarting the password manager makes sense. Whether or not the regulation makes sense is an entirely different issue.
Oh, and if you forget your login/pass/security-answers, don't worry, you can just re-register your account with the same username as before, with all new password, security questions and answers.
As in... every login it wants you to answer all six of your questions? That's barmy.
eg. echo "type password" | xdotool -
This is my pet peeve. Password fields should not be obfuscated by default. It should be a toggle that is off on page load. Shoulder surfing is a corner case.
if you can remember your password, its probably too weak
hunter2 is the password manager I wrote for this: https://chiselapp.com/user/rkeene/repository/hunter2/
As XKCD famously pointed out[0], Diceware[1]-style pass phrases can be both secure and memorable. XKCD's four word example isn't secure when fast brute-force attacks are feasible, but eight words is still easily memorable and secure enough for anything. The important point here is that "random words" really does mean "random", i.e. not picked by a human.
Diceware, 6 words 2.2 x 10^23
Diceware, 5 words 2.8 x 10^19
Diceware, 4 words 3.6 x 10^15
a-zA-Z0-9, symbols, 10 4.3 x 10^19
a-zA-Z0-9, 10char 8.4 x 10^17
a-zA-Z0-9, 8char 2.2 x 10^15
> Distributed_By: WalgreenCo. 200 Wilmont Rd.
And it would both be very strong, and be difficult for someone at my desk to guess by looking at things on my desk.
If they disabled pasting, I'd disable my account.
This really pisses me off every time I see it.
JavaScript is client-side code. If the attacker you're protecting against can't trivially bypass this bullshit "security" feature in three seconds, then he/she is not something you should be concerned about.
Attackers like that probably have other skills like counting to 5 with a 60% accuracy, and pointing out their own nose with a 40% accuracy. (Just like you do if you have this on your website.)
Even worse: sites that silently truncate your pasted password to the maximum length. When all you see is those little dots and the password is wider than the text field, it's very difficult or perhaps even impossible to tell how many characters were successfully pasted. And obviously truncation sets you up for disaster when you try to log in using your saved password and it just doesn't work.
That assumes they're not storing your password in a VARCHAR(16) field, which is what I always assume when I see a max password length restriction like this. Or perhaps they're using the ridiculous LANMan hash algorithm [1].
[1]: https://en.wikipedia.org/wiki/LAN_Manager#LM_hash_details
> Most password managers erase the clipboard as soon as they have pasted your password into the website, and some avoid the clipboard completely by typing in the password with a 'virtual keyboard' instead.
Isn't the latter approach much safer? If so, shouldn't it be the de facto standard since it prevents "clipboard stealing" and also removes the issue of not being able to paste content into an SPP form input?
For example, my bank's app don't let you paste passwords. I have a strong random password which basically means I can't access it from my phone...
I had to just throw up my hands and do all of my access to chase.com through a sandboxed browser profile, where I could automate logins.
I'm not fond of this, but what does it have to do with passwords? I (reluctantly) use Chase's online banking on the desktop, and it lets me paste passwords.
The best solution I found was to mount via the command line but that definitely wasn't an option for any coworker unfamiliar with the terminal.
https://apple.stackexchange.com/questions/42257/how-can-i-mo...
Also while this may be ultra paranoid, I really don't like typing passwords in public places where endless he cameras can record my screen and keystrokes.
It's like it's on purpose to make you save the password on the keychain or to make it more predictable somehow. I think that's either a very bad decision or evidence of NSA/CIA infiltration/influencing of Apple's software
Since I can't have the password visible in the password manager on the phone at the same time as the login prompt in the app, this means that I can only use the bank app if I'm 1) next to another device I can get that password on or 2) if I write the password down on something.
- Allow you to paste passwords into their smartphone app, but not into their web site being accessed from the same device.
- When entering new passwords, limit the password length but not tell you what the limit is ("password is too long"), so you have to reduce it 1 character at a time and keep trying.
- (Mentioned elsewhere in this post) Limit the special characters to some inexplicable subset like !@#$, so you have to edit your generated random password and replace the non-compliant characters with ones from their subset.
- Limit password lengths to (say) 20 characters, allow you to enter a new 20 character password, but only store the first 19 characters so you get an invalid password error when you subsequently log in! I figured it out because I knew I was pasting the correct password, so I just thought, "Hmm, UI team != DB team..." and tried one less character. Bingo.
This happened to me with an old version of (IIRC) a Bank of America iOS online banking app (I am not concerned about mentioning a name here because it's been fixed since then).
- Limit your password to something really short like 10 alphanumerics.
- Require password entry for (say) iCloud before you can get into your password manager, forcing you either to pull up the password on another device and painstakingly enter by hand a 30 character random string, including many special characters, and not letting you see the password (only the last character, for a second). This is so unpleasant that I am sure many people would just change the password to their dog's name or something.
On "change your password" screens, you don't want the second "confirm password" field to be pastle-able to stop this scenario.
1) User tries to type "mypassword" but enters "mypasswor" instead.
2) User copy-pastes "mypasswor" into "confirm password field"
3) User hits "submit".
Now when the user tries to login with "mypassword" it fails.
When changing your password, if you're pasting at all, it's from another (presumably correct) source -- so pasting is fine, whether once or twice.
It's a shame that password managers are mostly used by tech savvy people, as they are probably the most secure way to deal with passwords we've come up with so far.
I would paste into both boxes and resort to developer tools if I am not allowed.
Whilst we're on the topic: I hate stupid input fields that don't ignore whitespace and have a maximum number of characters. So you paste the space-separated number (I'm looking at you IBAN), get an exception because of the spaces, go back and remove them, get another exception, and then realise that the number was truncated due to the field length restriction applied on paste. ARGHHHHHH
Maybe they're worried people will have a "password.txt" in My Documents where they store all their passwords in cleartext. That being said it'd still probably would be more secure than having the same password everywhere like most people seem to do.
The road to (UI design) hell is paved with good intentions.
I feel passwords used to be thought of as a combination of characters that you keep in your head, and should only leave your head when being entered in a password field. Preventing paste discourages storing your password in a file called passwords.txt, and accidentally pasting it somewhere else as well.
Of course, we now understand passwords should have some qualities (larger alphabet, avoid common words/phrases as your passwords) which go against ease of remembering, so we now use passwords managers and other tools.
So this behaviour is probably and old common practice that most people used without knowing why and that's why we still see it even if its outdated and harms security in the end
Passwords operate under the principle "something you know". (Unfortunately operating under this principle on the Internet is quite hard, but that's a different story). When you save passwords somewhere it's no longer with the assumption of being just "something you know", but more "something you have". Of course passwords are even less apt as "something you have", because they are hard to secure, both in storage and in use.
Nothing has fundamentally changed. That people can't imagine why someone would want to keep passwords "something you know" is because they don't understand they theory behind passwords. A password manager might seem like a solution, but in reality what you're getting is the worst of both worlds. You don't get the security of "something you have", like a key that can be stored in hardware and verified with disclosing it to the host. Nor do you get the flexibility, at least not as a user, of "something you know".
I actually think it would be a great idea to block password managers and offer an alternative protocol for authentication. That way if they want to keep their users they would have to implement that protocol. Suddenly you would have quite a lot of users using something more secure.
(just a random text on the subject: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeopl...)
Nobody other than those who use very simple, high risk passwords can remember them all. It has to be stored somewhere. Preventing copy/paste seems like a completely useless step (security wise) that only causes unnecessary bother.
Similarly with Post-It Notes and physical written Notebooks of passwords. If your threat model isn't concerned about people with physical access to those notes, and you are comfortable with the physical security of those notes, that can be perfectly acceptable for you, and an overall better security stance from bad passwords.
"Don't write down your passwords", has always been bad advice, from that perspective. "If you write down your passwords, keep them safe" is slightly more accurate.
Humans (in general there are some exceptions) aren't very good at remembering large numbers of arbitrary long random strings.
So using a password safe and then copy/pasting into the relevant dialog is likely to be a better option than relying on human memory (which inevitably means for most people using the same password in many places)
1) In the beginning the whole X.509/PKCS PKI mechanism was seen as something that came out of X.500 and other telco stuff, is centralized, complex and expensive (all of these things are in fact true for the originally envisioned usage) and thus irrelevant for decentralized internet. (for example, the L for "Lightweight" in "LDAP" essentially means that it uses passwords instead of client side certificates)
2) The UX in early SSL capable browsers for client-side certificates was horrible (In Netscape the whole SSL configuration was in completely separate dialog from browser settings, which was incredibly complex. IE uses SSL implementation from windows which is also used for lots of other things and has centralized configuration and also even today creates confusing dialogs when site requests client certificate). It's somewhat ironic that various ActiveX/Java based replacements of this horrible UX are in fact often even more unusable.
It was even backwards-compatible with X.509!
If you don't use a hardware module certificates are easily stolen by malware and as revokation is often problematic, stolen certs can be quite bad news.
For what its worth I did write a small utility to make it easy to create memorable passwords using a master password:
https://github.com/agentgt/ezpwdgen
It uses the Emoji word database to help you remember passwords.
I've never actually managed to find out where the idea of websites banning copy/paste came from. Presumably it's been as a result of security audits, but I can't find any security people who would argue that it's a good idea...
If you can run Wayland, do it. If for no other reason, this.
You need to have cursor focus to receive key events, right?
The clipboard, by contrast, can be continually monitored, while playing completely "by the rules", right?
It does allow you to paste into the login fields, but you cannot submit your login credentials this way because the "Sign On" button is greyed out until you've actually typed in each field. I let my password manager fill the fields, then I manually delete and re-type the last character from each of the 3 fields.
Also, many sites should have an easy email based login.
> Justification 2: 'Pasting passwords makes them easier to forget, because you have fewer chances to practise them'.
Difficult to remember and easy to forget passwords will be auto generated. In fact I encountered few websites that didn't accept long passwords.
> Justification 3: 'Passwords would hang around in the clipboard'
Only for 12 seconds after which keepass will clear the clipboard.
The more common place I've seen it is email address confirmation (or PW confirmation), which while probably unnecessary, is not the worst thing in the world. You are retyping an address that's displayed in the field above. Less intrusive than a captcha.
Password managers could wipe the clipboard, if it still contains the password, after a defined amount of time, such as 60 seconds.
(If you think that's "confusing", show a notification that explains the behavior; "clipboard wiped" or something.)
Password managers are a thing. Please don't force me to type out 32 random symbols twice while I sign up for your service.
The QQ messenger blocks pasting passwords on iOS I suspect for this reason, perhaps there are teams of people guessing passwords and manually typing them in like gold farming.
From what I gather this should use IPC between applications, rather than the clipboard itself.
Another annoyance is having to enter 2nd,4th,7th etc letter of the password using a dropdown. ARrrgh.
If the problem is the risk posed by password vaults and clipboard managers, promote better vaults and better utilities. Personally, I'd love a password vault that could check which application or website I'm pasting to, blocking transmission if it looks wrong. But it's not the website's job to tell me how to manage my secrets.
Whereas if you reuse a password on multiple sites, and one of those sites is compromised, all of the rest of your logins are compromised.
My largest issue is that its extremely possible to fat-finger your UN to be Hellow, and its extremely easy to see and fix that mistake.
However since passwords are hidden its hard to see ######## is actually Worls123. Now your new account has essentially a one-time login because you have no idea what your password is. Typing it out again, ensures you catch your mistake
I'd notice someone shoulder surfing so I'd prefer if they wheren't starred out by default with starring out as an option if I do have people around.
I never need passwords hidden in my home. I've been in work environments where I know I'm not doing anything where I'd want passwords hidden. I especially don't want passwords hidden on my phone, where it's easy to make a typo.
What I am saying is that from a regular user's perspective there is no viable way to do it right and we shouldn't be surprised if people follow bad practices. We can't just tell people to:
- don't write down passowrds - have unique strong passwords for dozens of sites - always type them in
It's not going to happen.
You might want to allow paste, too, but it's the clumsy solution.
This is a huge step up from a memorized password. Go ahead and implement OpenID too, but don't force people down to the level of memorized passwords needlessly. Expending effort to prevent pasting is a stupid move.
Oh, I agree. I was more talking about people who have already expended that effort (so its zero marginal effort) and are considering reversing it (which as a small but non-zero cost.)