What is the possible logic here?
-
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it. A lot of the common keyloggers AdvancedKeyLogger, KeyGhost, Absolute Keylogger, Actual Keylogger, Actual Spy, Family Key Logger, GHOST SPY, Haxdoor, MyDoom all use that method. The ability to cut and paste is unfortunately a side effect of the change but in some ways is a blessing. So basically the bank is doing something Microsoft should have done which is when you enable a secured connection cut the feed to all windows hooks which would have been the preferred option. You won't be able to restore the function it's way lower than anything Java can reach the paste functions will not take input from the normal button win32 messages if implemented correctly. The hint is you would have to register the message with the class and for that you need the security key. What you think of as a button isn't a button at all, its a bitmap that gets draw on from deep inside the security sections. Think of a rolling counter on a website or even look at US debt clock. The screen drawing is totally fictional the key message never come outside the application kernel.
In vino veritas
leon de boer wrote:
So basically the bank is doing something Microsoft should have done which is when you enable a secured connection cut the feed to all windows hooks which would have been the preferred option.
I'm curious how you expect MS to be able to accomplish that. Setting aside that there's nothing they could do to affect the situation on people running Linux/MacOS/Android/iOS/BSD/etc, just getting enough visibility into 3rd party browsers to do it Windows wide would require a cluster-elephant of kernel mode snooping to try figuring out what's going on inside other peoples code. Lastly, AFAIK low level user IO hooks are extensively used by accessibility software which means that to interfere with the crappiest common denominator of malware they'd be throwing everyone with disabilities under the security theater bus.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Was it to keep the bots from being able to paste IDs and passwords?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
Make sure you complain to them and tell them the reason you just stated here. It's pure ignorance. You have to combat ignorance or it will continue to spread. I have to tell this story: I had an account that was worse than that. Apparently, their site only accepted passwords of 8 characters or less, but THEY DIDN'T TELL YOU! There was no indication on their site whatsoever. So I would change my password (my default was 16 chars), go to login in 5 seconds later, and it said "password invalid". This is not possible because I was pasting my password from Keepass that I JUST SET! Every single time I logged on I would have to call their tech support to reset my password. And every time I reset it, I was locked out again. Their own tech support people couldn't even figure it out. I finally figured it out myself because I noticed after the tenth time that every time I was emailed a temporary password it was exactly 8 characters. I tried dumbing down my password to 8 chars and low and behold it worked! Their application was only recording the first 8 characters of what you put in the web form. Then you paste in the exact same password next time and it would fail if it was longer than 8. I told them about the bug and you what their response was? [crickets] So I closed my account. Dumb-asses. If they won't listen to reason, then just walk away. Maybe eventually they will get the message.
Your story is a great one -- albeit painful for you as a user -- since you expose the ineptitude of those developers and that site. It exposes what a lot of companies do with passwords that is so terribly wrong. Through my work with writing a password generator (SHA256 based hashed and strong that the user never has to remember -- see my articles here at CP) I've noticed that many companies require a password to be quite short though everyone knows the longer it is the better. I had an issue with Yahoo! while attempting to change my password to my strong SHA256 based password hash and it was related to length too. Now 50 million of their accounts have been hacked. Sheesh. The Companies which Allow Extremely Long Passwords Here's an example of my passwords (not a real one, of course)
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
Facebook, LinkedIn, Google, Microsoft AppleId only allows max of 32 chars for password - those simpletons.
My book, Launch Your Android App, is available at Amazon.com.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
-
Was it to keep the bots from being able to paste IDs and passwords?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
DavidCrow wrote:
Was it to keep the bots from being able to paste IDs and passwords?
Bots can just do SendKeys. It's extremely easy. As a matter of fact, Norton Internet Security has a onscreen keyboard which allows you to type via SendKeys which is a security safety net in case you have a keylogger and dont know it. SendKeys doesn't generate the keypresses that your keyboard does and keyloggers wouldn't be able to trap your password if you use the Norton onscreen keyboard. I think Kaspersky has this too.
My book, Launch Your Android App, is available at Amazon.com.
-
Your story is a great one -- albeit painful for you as a user -- since you expose the ineptitude of those developers and that site. It exposes what a lot of companies do with passwords that is so terribly wrong. Through my work with writing a password generator (SHA256 based hashed and strong that the user never has to remember -- see my articles here at CP) I've noticed that many companies require a password to be quite short though everyone knows the longer it is the better. I had an issue with Yahoo! while attempting to change my password to my strong SHA256 based password hash and it was related to length too. Now 50 million of their accounts have been hacked. Sheesh. The Companies which Allow Extremely Long Passwords Here's an example of my passwords (not a real one, of course)
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
Facebook, LinkedIn, Google, Microsoft AppleId only allows max of 32 chars for password - those simpletons.
My book, Launch Your Android App, is available at Amazon.com.
This is what one of my typical passwords look like:
Quote:
W6/\E\4d8ewUhDO`;*&O
I'm not going to use weak passwords. I'm not going to remember or type my passwords. I never use the same password on multiple sites or services. The only option left is to not use their site or service. By the way, if you don't already have it, get Keepass. It rocks.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
PeejayAdams wrote:
Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money
Numerous web sites and companies are contributing to the problem by making passwords be limited to a certain length. My app creates passwords you never have to memorize and you probably wouldn't want to try to memorize even if you could. It generates SHA256 based hash as your password. It generates it and does not store it anywhere. That's really secure. You can see more about it at: Never Type A Password Again![^] My passwords end up looking like:
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
You can read about it in my article here at CP : Destroy All Passwords: Never Memorize A Password Again[^] and the following one: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^]
My book, Launch Your Android App, is available at Amazon.com.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
-
leon de boer wrote:
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it.
That could well be it (and it's nice to know that there might be some kind of reason) but if it's going to compromise security in other ways, it seems like a rather bad idea. This site was one of several that I've registered with in recent times in the same sector (UK turf accountancy/equine futures market) that have really astonished me with the inadequacy of their security systems. The sites belonging to two of the largest high street names bounce between https:// and http:// with gay abandon. One uses a pin number rather than a password. That, I find utterly unbelievable. A couple have the old "password must be between x and y characters long" thing going on. Something that seems increasingly "last century" to me. Thankfully, this one does seem to be getting a bit rarer these days. Every single one that has a "security question" (I guess I'm talking about 20 or so sites here) have the same default question - mother's maiden name: if you can't remember it you can always find it on your birth certificate or some genealogy website or other. Other people can find it, too, of course if they don't happen to know it already, but hey! Nothing's ever quite perfect ...
NEVER put in your mother's maiden name or any other information like that. That totally exposes you and completely defeats any security, as that information is usually public knowledge. This a perfect example of astonishing incompetence by the site developers. I make up a unique answer for every site. For example, on one site, my mother's maiden name might be "aseej#$i70kKnP++-{F46^". Which was actually amusing when I had to tell my bank that on the phone one day...
-
Nathan Minier wrote:
I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts
I was recently on a gov't web site (related to student loans) which also blocked the paste field. It is so annoying and actually shows that the person who created the thing doesn't understand how password hacks are done. So, again, these sites actually punish you for having a more complex (and longer) password which is very difficult to type. :mad:
My book, Launch Your Android App, is available at Amazon.com.
There is no point to have a Confirm password box if you can copy and paste the main password box... as an error in the first one would be duplicated in the second one. The purpose of the Confirm box is to ensure that you are able to write the same thing twice which is really a good thing as if you are not able to do that when you register, then how hard would it be to type the password when you login the next time?
Philippe Mori
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Not an answer... but this reminds me of when I once had to book some ferry tickets from an internet café. I happened to notice, that site was super-user-friendly. They had auto complete on the credit card number and the ccv :b.
... such stuff as dreams are made on
-
I encountered that a couple of months ago on a major bank website. The irony was that the PW set fields allowed it, so I dumped a random KeePass-generated PW in and then had to manually enter that bastard when I wanted to log in. Fortunately I figured out pretty fast that Chrome would override that with ctrl-v. I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts rather than something they would actually do, like edited packet replays.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
-
This is what one of my typical passwords look like:
Quote:
W6/\E\4d8ewUhDO`;*&O
I'm not going to use weak passwords. I'm not going to remember or type my passwords. I never use the same password on multiple sites or services. The only option left is to not use their site or service. By the way, if you don't already have it, get Keepass. It rocks.
Absolutely! Agree 100% :)
My book, Launch Your Android App, is available at Amazon.com.
-
There is no point to have a Confirm password box if you can copy and paste the main password box... as an error in the first one would be duplicated in the second one. The purpose of the Confirm box is to ensure that you are able to write the same thing twice which is really a good thing as if you are not able to do that when you register, then how hard would it be to type the password when you login the next time?
Philippe Mori
But, if you're using a password manager or password generator (like mine) you may not even know your password or be able to type it. Of course, I don't ever type my passwords. I let my phone do that work via Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] :)
My book, Launch Your Android App, is available at Amazon.com.
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
-
NEVER put in your mother's maiden name or any other information like that. That totally exposes you and completely defeats any security, as that information is usually public knowledge. This a perfect example of astonishing incompetence by the site developers. I make up a unique answer for every site. For example, on one site, my mother's maiden name might be "aseej#$i70kKnP++-{F46^". Which was actually amusing when I had to tell my bank that on the phone one day...
-
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
Philippe Mori wrote:
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password.
It's not about the ability to re-use a password. People who do that (and there are many) probably do it from memory. Paste is required because most of us use password generators these days so we have a nice, thoroughly random 20 character password each time we sign up to something. So having generated a key along the lines of "Rx87Htv01pUWxb2WqkLLp" - to have to type it in twice (on a single screen machine, as it happened) was something of a PITA. To then find out that I'm expected to type it in manually each time I want to log in ...
Philippe Mori wrote:
the problem is that you don't really understand security issues
Well, maybe I don't, but I do know that 8 characters is stupidly short for a password and that people who make up passwords rather than generate them are going to be a whole lot easier to hack than people who use Guids or lengthy random strings. "pa55w0rd" is not a very good password!
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
That does nothing, as said user could simply type those passwords. When you base the linchpin of your AAA mechanism on user carelessness, you are coding to fail. This approach benefits no one, especially those of us who care enough about protecting credentials to use password management systems.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
You'd only need to type it twice if the password-editbox is hiding what you are typing, which is hardly usefull if you are the only one in the room.
Philippe Mori wrote:
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password.
Nonsense.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
Philippe Mori wrote:
say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site...
Or they may even type them in.
I wanna be a eunuchs developer! Pass me a bread knife!
