Prohibiting Pasting of Passwords

We have been told over and over and over again to use strong passwords. If you can remember your password then it is too weak. Because of this, many people use password vaults or password managers to store their super strong impossible to remember passwords. When they need to log into the site, they simply paste the password from their vault or use their password manager to fill-in the password field. Seems like a good security practice as the users have a very strong password…apparently not. Some sites are no longer allowing you to paste in your password (some may or may not allow your password manager software/extension to work) via JavaScript in which the onpaste event, a non-standard event defined by Microsoft for use in Internet Explorer (which also works in Firefox, Chrome, Safari, etc) is returning false. This “false” is treated the same as the user not putting in a password at all.

Some sites such as British Gas claim the reason they have disabled pasting in passwords is they would loose their security certificate as it exposes them to brute force (hacking) attacks. GE Capital just says “for security reasons”.

Well apparently someone didn’t think this through very well. If people are not going to be allowed to paste in their super secure passwords…guess what is going to happen? They will use a (less secure) password they can remember, which kinda defeats the claim “for security reasons”. Some claim that Malware could be installed by hackers that could intercept the Windows clipboard thus allowing hackers to gain your password in that manner. However, it is much easier for a hacker to put keystroke tracking Malware on someone’s system. Which is why people opt to paste their password or use a password manager.

So now these companies that think they are doing their users a favor by forcing them to type in their password (given the assumption that pasting isn’t secure) are actually making their users less secure…Brilliant!

Source: The “Cobra Effect” via grand stream dreams.

2 Comments on Prohibiting Pasting of Passwords

  1. It’s the same from latest Ebay and Paypal password breaches… I ended up typing huge 16 char generated from Keepass generated which failed on !*” or something and finally choose idiotic password… (still secure) but not most secured….They have no clue on human reality

  2. Ditto here. Ebay & PayPal annoyed me to No End for doing that. I had to modify the KeePass rules and force it to ONLY autotype the password on that page (and then do it for both password verification fields) and _ALSO_ turn off the internal obfuscation just because it wouldn’t handle the left and right cursor movements. Took me 20 minutes to bloomin’ do a 20 second job.

    You know you can tell KeePass to not use certain special or normal characters, right? And be sure and use the ^V autotype feature — it’s not “just” a clipboard paste.

    I’m sure it matched some managers expectation somewhere. Just bloomin’ accept any complexity password coming from anywhere — it’s MY problem to make sure it’s good enough.

Comments are closed.