What is the possible logic here?
-
I encountered that a couple of months ago on a major bank website. The irony was that the PW set fields allowed it, so I dumped a random KeePass-generated PW in and then had to manually enter that bastard when I wanted to log in. Fortunately I figured out pretty fast that Chrome would override that with ctrl-v. I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts rather than something they would actually do, like edited packet replays.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Psht! Would you please leave those code monkeys in their belief that a little JavaScript on some controls can aktually keep us from doing something!
The language is JavaScript. that of Mordor, which I will not utter here
This is Javascript. If you put big wheels and a racing stripe on a golf cart, it's still a fucking golf cart.
"I don't know, extraterrestrial?" "You mean like from space?" "No, from Canada." If software development were a circus, we would all be the clowns. -
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Make sure you complain to them and tell them the reason you just stated here. It's pure ignorance. You have to combat ignorance or it will continue to spread. I have to tell this story: I had an account that was worse than that. Apparently, their site only accepted passwords of 8 characters or less, but THEY DIDN'T TELL YOU! There was no indication on their site whatsoever. So I would change my password (my default was 16 chars), go to login in 5 seconds later, and it said "password invalid". This is not possible because I was pasting my password from Keepass that I JUST SET! Every single time I logged on I would have to call their tech support to reset my password. And every time I reset it, I was locked out again. Their own tech support people couldn't even figure it out. I finally figured it out myself because I noticed after the tenth time that every time I was emailed a temporary password it was exactly 8 characters. I tried dumbing down my password to 8 chars and low and behold it worked! Their application was only recording the first 8 characters of what you put in the web form. Then you paste in the exact same password next time and it would fail if it was longer than 8. I told them about the bug and you what their response was? [crickets] So I closed my account. Dumb-asses. If they won't listen to reason, then just walk away. Maybe eventually they will get the message.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it. A lot of the common keyloggers AdvancedKeyLogger, KeyGhost, Absolute Keylogger, Actual Keylogger, Actual Spy, Family Key Logger, GHOST SPY, Haxdoor, MyDoom all use that method. The ability to cut and paste is unfortunately a side effect of the change but in some ways is a blessing. So basically the bank is doing something Microsoft should have done which is when you enable a secured connection cut the feed to all windows hooks which would have been the preferred option. You won't be able to restore the function it's way lower than anything Java can reach the paste functions will not take input from the normal button win32 messages if implemented correctly. The hint is you would have to register the message with the class and for that you need the security key. What you think of as a button isn't a button at all, its a bitmap that gets draw on from deep inside the security sections. Think of a rolling counter on a website or even look at US debt clock. The screen drawing is totally fictional the key message never come outside the application kernel.
In vino veritas
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I see this more and more. Really annoying. I use KeePass and have it generate a password as my made-up ones are way too easy. (What is wrong with HelloWorld42? :) ) There must be someone out there who came up with the idea and is spreading it to financial institutes.
Mongo: Mongo only pawn... in game of life.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
There are worse, One of the banking sites I use has all that, PLUS they disabled the Tab key from moving to the next field too. Not only do you have to key the id in using the KB (no paste on any browser, no auto complete), but then take your hands off the KB, use the mouse to click on the password box, and then hands back to the KB to enter that then back to the mouse to click OK. After that use the mouse to select an option which then opens a new input box to enter the OTP, use the plastic calculator thing to generate the OTP, click on the OTP input field (because it doesn't put you there by itself), key that in, then use the mouse to click OK because again Tab/Enter does nothing. Now you can finally do what you came for, but the whole site is almost all like that, no tab, some later fields can be pasted but woe betide you accidentally paste a no-no character (including accidental trailing spaces on/in numbers - phone number(s) too). Think for too long and it tosses you right out - no warning. (Even the "feedback form" that is reqest you to fill after you've finally done is like that, and it includes fields to key in basic info like name, phone, which account(s) you have as if they didn't already know that.) Thank you, please come again. - Well not if I can bloody help it.
Sin tack ear lol Pressing the "Any" key may be continuate
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
PeejayAdams wrote:
that they had disabled pasting into the password and confirm password fields.
Some websites have been that way for many years. I'm sure it is so that you are forced to re-enter your password. If you mistype and then paste it you'll send support a complaint that your new password does not exist. This way, you are more sure to type it in right. Some websites don't even bother with the confirm password.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Type password wrong, copy, paste the false one... Come back, try to log in using right password. Start :wtf: :wtf: :doh: :doh: :mad::mad: X| X| Not allowing copy paste by the registration... I find it not so bad. Not allowing by loging in... that's one step too much.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Type password wrong, copy, paste the false one... Come back, try to log in using right password. Start :wtf: :wtf: :doh: :doh: :mad::mad: X| X| Not allowing copy paste by the registration... I find it not so bad. Not allowing by loging in... that's one step too much.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I find it a PITA. Generally, they want two confirmations: Email and password. So I have to type my email in twice - instead of copy'n'paste from my password store. Then I have to do the same with my password. And since I try to use a fresh Guid as my password each time I don't even know (or care) what it is, so typing it is more likely to give a problem than not. And don't even get me started on "what is a valid password" - some insist on upper and lower case, some must have a number, some won't allow special characters, some want 8 letters, some want 10. And they never tell you their arbitrary rules in advance either... :mad:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it. A lot of the common keyloggers AdvancedKeyLogger, KeyGhost, Absolute Keylogger, Actual Keylogger, Actual Spy, Family Key Logger, GHOST SPY, Haxdoor, MyDoom all use that method. The ability to cut and paste is unfortunately a side effect of the change but in some ways is a blessing. So basically the bank is doing something Microsoft should have done which is when you enable a secured connection cut the feed to all windows hooks which would have been the preferred option. You won't be able to restore the function it's way lower than anything Java can reach the paste functions will not take input from the normal button win32 messages if implemented correctly. The hint is you would have to register the message with the class and for that you need the security key. What you think of as a button isn't a button at all, its a bitmap that gets draw on from deep inside the security sections. Think of a rolling counter on a website or even look at US debt clock. The screen drawing is totally fictional the key message never come outside the application kernel.
In vino veritas
leon de boer wrote:
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it.
That could well be it (and it's nice to know that there might be some kind of reason) but if it's going to compromise security in other ways, it seems like a rather bad idea. This site was one of several that I've registered with in recent times in the same sector (UK turf accountancy/equine futures market) that have really astonished me with the inadequacy of their security systems. The sites belonging to two of the largest high street names bounce between https:// and http:// with gay abandon. One uses a pin number rather than a password. That, I find utterly unbelievable. A couple have the old "password must be between x and y characters long" thing going on. Something that seems increasingly "last century" to me. Thankfully, this one does seem to be getting a bit rarer these days. Every single one that has a "security question" (I guess I'm talking about 20 or so sites here) have the same default question - mother's maiden name: if you can't remember it you can always find it on your birth certificate or some genealogy website or other. Other people can find it, too, of course if they don't happen to know it already, but hey! Nothing's ever quite perfect ...
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
The point hair who shoved the idea down the developers throats probably assumes the only password manager people would ever use is called passwords.xls (because that's what he uses) and is making the system more secure as a result. To @NathanMinier the ctrl+v loophole you found is probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu. :rolleyes:
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
I encountered that a couple of months ago on a major bank website. The irony was that the PW set fields allowed it, so I dumped a random KeePass-generated PW in and then had to manually enter that bastard when I wanted to log in. Fortunately I figured out pretty fast that Chrome would override that with ctrl-v. I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts rather than something they would actually do, like edited packet replays.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Nathan Minier wrote:
I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts
I was recently on a gov't web site (related to student loans) which also blocked the paste field. It is so annoying and actually shows that the person who created the thing doesn't understand how password hacks are done. So, again, these sites actually punish you for having a more complex (and longer) password which is very difficult to type. :mad:
My book, Launch Your Android App, is available at Amazon.com.
-
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it. A lot of the common keyloggers AdvancedKeyLogger, KeyGhost, Absolute Keylogger, Actual Keylogger, Actual Spy, Family Key Logger, GHOST SPY, Haxdoor, MyDoom all use that method. The ability to cut and paste is unfortunately a side effect of the change but in some ways is a blessing. So basically the bank is doing something Microsoft should have done which is when you enable a secured connection cut the feed to all windows hooks which would have been the preferred option. You won't be able to restore the function it's way lower than anything Java can reach the paste functions will not take input from the normal button win32 messages if implemented correctly. The hint is you would have to register the message with the class and for that you need the security key. What you think of as a button isn't a button at all, its a bitmap that gets draw on from deep inside the security sections. Think of a rolling counter on a website or even look at US debt clock. The screen drawing is totally fictional the key message never come outside the application kernel.
In vino veritas
leon de boer wrote:
So basically the bank is doing something Microsoft should have done which is when you enable a secured connection cut the feed to all windows hooks which would have been the preferred option.
I'm curious how you expect MS to be able to accomplish that. Setting aside that there's nothing they could do to affect the situation on people running Linux/MacOS/Android/iOS/BSD/etc, just getting enough visibility into 3rd party browsers to do it Windows wide would require a cluster-elephant of kernel mode snooping to try figuring out what's going on inside other peoples code. Lastly, AFAIK low level user IO hooks are extensively used by accessibility software which means that to interfere with the crappiest common denominator of malware they'd be throwing everyone with disabilities under the security theater bus.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Was it to keep the bots from being able to paste IDs and passwords?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
Make sure you complain to them and tell them the reason you just stated here. It's pure ignorance. You have to combat ignorance or it will continue to spread. I have to tell this story: I had an account that was worse than that. Apparently, their site only accepted passwords of 8 characters or less, but THEY DIDN'T TELL YOU! There was no indication on their site whatsoever. So I would change my password (my default was 16 chars), go to login in 5 seconds later, and it said "password invalid". This is not possible because I was pasting my password from Keepass that I JUST SET! Every single time I logged on I would have to call their tech support to reset my password. And every time I reset it, I was locked out again. Their own tech support people couldn't even figure it out. I finally figured it out myself because I noticed after the tenth time that every time I was emailed a temporary password it was exactly 8 characters. I tried dumbing down my password to 8 chars and low and behold it worked! Their application was only recording the first 8 characters of what you put in the web form. Then you paste in the exact same password next time and it would fail if it was longer than 8. I told them about the bug and you what their response was? [crickets] So I closed my account. Dumb-asses. If they won't listen to reason, then just walk away. Maybe eventually they will get the message.
Your story is a great one -- albeit painful for you as a user -- since you expose the ineptitude of those developers and that site. It exposes what a lot of companies do with passwords that is so terribly wrong. Through my work with writing a password generator (SHA256 based hashed and strong that the user never has to remember -- see my articles here at CP) I've noticed that many companies require a password to be quite short though everyone knows the longer it is the better. I had an issue with Yahoo! while attempting to change my password to my strong SHA256 based password hash and it was related to length too. Now 50 million of their accounts have been hacked. Sheesh. The Companies which Allow Extremely Long Passwords Here's an example of my passwords (not a real one, of course)
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
Facebook, LinkedIn, Google, Microsoft AppleId only allows max of 32 chars for password - those simpletons.
My book, Launch Your Android App, is available at Amazon.com.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
-
Was it to keep the bots from being able to paste IDs and passwords?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
DavidCrow wrote:
Was it to keep the bots from being able to paste IDs and passwords?
Bots can just do SendKeys. It's extremely easy. As a matter of fact, Norton Internet Security has a onscreen keyboard which allows you to type via SendKeys which is a security safety net in case you have a keylogger and dont know it. SendKeys doesn't generate the keypresses that your keyboard does and keyloggers wouldn't be able to trap your password if you use the Norton onscreen keyboard. I think Kaspersky has this too.
My book, Launch Your Android App, is available at Amazon.com.
-
Your story is a great one -- albeit painful for you as a user -- since you expose the ineptitude of those developers and that site. It exposes what a lot of companies do with passwords that is so terribly wrong. Through my work with writing a password generator (SHA256 based hashed and strong that the user never has to remember -- see my articles here at CP) I've noticed that many companies require a password to be quite short though everyone knows the longer it is the better. I had an issue with Yahoo! while attempting to change my password to my strong SHA256 based password hash and it was related to length too. Now 50 million of their accounts have been hacked. Sheesh. The Companies which Allow Extremely Long Passwords Here's an example of my passwords (not a real one, of course)
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
Facebook, LinkedIn, Google, Microsoft AppleId only allows max of 32 chars for password - those simpletons.
My book, Launch Your Android App, is available at Amazon.com.
This is what one of my typical passwords look like:
Quote:
W6/\E\4d8ewUhDO`;*&O
I'm not going to use weak passwords. I'm not going to remember or type my passwords. I never use the same password on multiple sites or services. The only option left is to not use their site or service. By the way, if you don't already have it, get Keepass. It rocks.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
PeejayAdams wrote:
Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money
Numerous web sites and companies are contributing to the problem by making passwords be limited to a certain length. My app creates passwords you never have to memorize and you probably wouldn't want to try to memorize even if you could. It generates SHA256 based hash as your password. It generates it and does not store it anywhere. That's really secure. You can see more about it at: Never Type A Password Again![^] My passwords end up looking like:
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
You can read about it in my article here at CP : Destroy All Passwords: Never Memorize A Password Again[^] and the following one: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^]
My book, Launch Your Android App, is available at Amazon.com.
