What is the possible logic here?
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
-
leon de boer wrote:
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it.
That could well be it (and it's nice to know that there might be some kind of reason) but if it's going to compromise security in other ways, it seems like a rather bad idea. This site was one of several that I've registered with in recent times in the same sector (UK turf accountancy/equine futures market) that have really astonished me with the inadequacy of their security systems. The sites belonging to two of the largest high street names bounce between https:// and http:// with gay abandon. One uses a pin number rather than a password. That, I find utterly unbelievable. A couple have the old "password must be between x and y characters long" thing going on. Something that seems increasingly "last century" to me. Thankfully, this one does seem to be getting a bit rarer these days. Every single one that has a "security question" (I guess I'm talking about 20 or so sites here) have the same default question - mother's maiden name: if you can't remember it you can always find it on your birth certificate or some genealogy website or other. Other people can find it, too, of course if they don't happen to know it already, but hey! Nothing's ever quite perfect ...
NEVER put in your mother's maiden name or any other information like that. That totally exposes you and completely defeats any security, as that information is usually public knowledge. This a perfect example of astonishing incompetence by the site developers. I make up a unique answer for every site. For example, on one site, my mother's maiden name might be "aseej#$i70kKnP++-{F46^". Which was actually amusing when I had to tell my bank that on the phone one day...
-
Nathan Minier wrote:
I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts
I was recently on a gov't web site (related to student loans) which also blocked the paste field. It is so annoying and actually shows that the person who created the thing doesn't understand how password hacks are done. So, again, these sites actually punish you for having a more complex (and longer) password which is very difficult to type. :mad:
My book, Launch Your Android App, is available at Amazon.com.
There is no point to have a Confirm password box if you can copy and paste the main password box... as an error in the first one would be duplicated in the second one. The purpose of the Confirm box is to ensure that you are able to write the same thing twice which is really a good thing as if you are not able to do that when you register, then how hard would it be to type the password when you login the next time?
Philippe Mori
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Not an answer... but this reminds me of when I once had to book some ferry tickets from an internet café. I happened to notice, that site was super-user-friendly. They had auto complete on the credit card number and the ccv :b.
... such stuff as dreams are made on
-
I encountered that a couple of months ago on a major bank website. The irony was that the PW set fields allowed it, so I dumped a random KeePass-generated PW in and then had to manually enter that bastard when I wanted to log in. Fortunately I figured out pretty fast that Chrome would override that with ctrl-v. I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts rather than something they would actually do, like edited packet replays.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
-
This is what one of my typical passwords look like:
Quote:
W6/\E\4d8ewUhDO`;*&O
I'm not going to use weak passwords. I'm not going to remember or type my passwords. I never use the same password on multiple sites or services. The only option left is to not use their site or service. By the way, if you don't already have it, get Keepass. It rocks.
Absolutely! Agree 100% :)
My book, Launch Your Android App, is available at Amazon.com.
-
There is no point to have a Confirm password box if you can copy and paste the main password box... as an error in the first one would be duplicated in the second one. The purpose of the Confirm box is to ensure that you are able to write the same thing twice which is really a good thing as if you are not able to do that when you register, then how hard would it be to type the password when you login the next time?
Philippe Mori
But, if you're using a password manager or password generator (like mine) you may not even know your password or be able to type it. Of course, I don't ever type my passwords. I let my phone do that work via Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] :)
My book, Launch Your Android App, is available at Amazon.com.
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
-
NEVER put in your mother's maiden name or any other information like that. That totally exposes you and completely defeats any security, as that information is usually public knowledge. This a perfect example of astonishing incompetence by the site developers. I make up a unique answer for every site. For example, on one site, my mother's maiden name might be "aseej#$i70kKnP++-{F46^". Which was actually amusing when I had to tell my bank that on the phone one day...
-
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
Philippe Mori wrote:
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password.
It's not about the ability to re-use a password. People who do that (and there are many) probably do it from memory. Paste is required because most of us use password generators these days so we have a nice, thoroughly random 20 character password each time we sign up to something. So having generated a key along the lines of "Rx87Htv01pUWxb2WqkLLp" - to have to type it in twice (on a single screen machine, as it happened) was something of a PITA. To then find out that I'm expected to type it in manually each time I want to log in ...
Philippe Mori wrote:
the problem is that you don't really understand security issues
Well, maybe I don't, but I do know that 8 characters is stupidly short for a password and that people who make up passwords rather than generate them are going to be a whole lot easier to hack than people who use Guids or lengthy random strings. "pa55w0rd" is not a very good password!
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
That does nothing, as said user could simply type those passwords. When you base the linchpin of your AAA mechanism on user carelessness, you are coding to fail. This approach benefits no one, especially those of us who care enough about protecting credentials to use password management systems.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
You'd only need to type it twice if the password-editbox is hiding what you are typing, which is hardly usefull if you are the only one in the room.
Philippe Mori wrote:
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password.
Nonsense.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
Philippe Mori wrote:
say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site...
Or they may even type them in.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Eddy Vluggen wrote:
I'd love to hear the 'logic' from the devs themselves.
It will almost certainly be some variation of "because our PHB told us we had to". This isn't a feature some dev has decided to add on their own initiative. It's a management-level decision that's been forced on the devs, because it's what other sites in the sector are doing, so therefore it must be the right thing to do. If you ever query it with the customer support drones, you'll be told it's to increase the security of the site, and they'd "lose their certification" if they changed it. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
PeejayAdams wrote:
Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money
Numerous web sites and companies are contributing to the problem by making passwords be limited to a certain length. My app creates passwords you never have to memorize and you probably wouldn't want to try to memorize even if you could. It generates SHA256 based hash as your password. It generates it and does not store it anywhere. That's really secure. You can see more about it at: Never Type A Password Again![^] My passwords end up looking like:
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
You can read about it in my article here at CP : Destroy All Passwords: Never Memorize A Password Again[^] and the following one: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^]
My book, Launch Your Android App, is available at Amazon.com.
raddevus wrote:
making passwords be limited to a certain length
Which almost invariably means they're not storing them properly. If they were hashing them, the stored value would always be the same length, so there'd be no need for any meaningful limit on the password length. Even worse are the banks which ask for specific characters from your password. Again, they claim this is to increase your security by preventing key-loggers / shoulder-surfers from getting your whole password. The fact that it means they're storing your password in plain-text, or using reversible encryption, seems to pass them by. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
But, if you're using a password manager or password generator (like mine) you may not even know your password or be able to type it. Of course, I don't ever type my passwords. I let my phone do that work via Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] :)
My book, Launch Your Android App, is available at Amazon.com.
Well, at least it should not be possible to copy or cut a password... Only pasting them might be a good compromise for those who trust passwords managers... That way, you have the main advantage of making harder to users to manually copy one field to another while filling the form (those preventing mistyping to be permanent) while allowing pasting from other sources...
Philippe Mori
-
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
Philippe Mori wrote:
he should not be able to reuse an existing password
Let me guess - are you the guy behind the Password has already been used by another user message? :laugh:
Philippe Mori wrote:
This is not 100% full proof
Neither is it fool-proof. ;P (Clearly the spelling of the word fool-proof is not fool-proof.)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
raddevus wrote:
making passwords be limited to a certain length
Which almost invariably means they're not storing them properly. If they were hashing them, the stored value would always be the same length, so there'd be no need for any meaningful limit on the password length. Even worse are the banks which ask for specific characters from your password. Again, they claim this is to increase your security by preventing key-loggers / shoulder-surfers from getting your whole password. The fact that it means they're storing your password in plain-text, or using reversible encryption, seems to pass them by. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Great post and you are absolutely correct. :thumbsup:
Richard Deeming wrote:
Which almost invariably means they're not storing them properly
It is amazing how uninformed many of the sites and developers are about these issues. It's scary. And, it comes as no surprise when Yahoo! has 50 million accounts hijacked. They're one of the ones who limit password length. Ugh!
My book, Launch Your Android App, is available at Amazon.com.
-
Well, at least it should not be possible to copy or cut a password... Only pasting them might be a good compromise for those who trust passwords managers... That way, you have the main advantage of making harder to users to manually copy one field to another while filling the form (those preventing mistyping to be permanent) while allowing pasting from other sources...
Philippe Mori
Consider also, typing your password on your phone or device. It's quite terrible to have to do it if yo have a long / complex password. I believe apps and sites should allow paste always. Doing otherwise encourages users to use easy-to-type passwords which are most likely weak. :)
My book, Launch Your Android App, is available at Amazon.com.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
