What is the possible logic here?
-
Eddy Vluggen wrote:
I'd love to hear the 'logic' from the devs themselves.
It will almost certainly be some variation of "because our PHB told us we had to". This isn't a feature some dev has decided to add on their own initiative. It's a management-level decision that's been forced on the devs, because it's what other sites in the sector are doing, so therefore it must be the right thing to do. If you ever query it with the customer support drones, you'll be told it's to increase the security of the site, and they'd "lose their certification" if they changed it. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
PeejayAdams wrote:
Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money
Numerous web sites and companies are contributing to the problem by making passwords be limited to a certain length. My app creates passwords you never have to memorize and you probably wouldn't want to try to memorize even if you could. It generates SHA256 based hash as your password. It generates it and does not store it anywhere. That's really secure. You can see more about it at: Never Type A Password Again![^] My passwords end up looking like:
53859190d943a005823a58af8d717755bf63fbf8fb0eb99733595ae70aa3b2d7
You can read about it in my article here at CP : Destroy All Passwords: Never Memorize A Password Again[^] and the following one: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^]
My book, Launch Your Android App, is available at Amazon.com.
raddevus wrote:
making passwords be limited to a certain length
Which almost invariably means they're not storing them properly. If they were hashing them, the stored value would always be the same length, so there'd be no need for any meaningful limit on the password length. Even worse are the banks which ask for specific characters from your password. Again, they claim this is to increase your security by preventing key-loggers / shoulder-surfers from getting your whole password. The fact that it means they're storing your password in plain-text, or using reversible encryption, seems to pass them by. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
But, if you're using a password manager or password generator (like mine) you may not even know your password or be able to type it. Of course, I don't ever type my passwords. I let my phone do that work via Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] :)
My book, Launch Your Android App, is available at Amazon.com.
Well, at least it should not be possible to copy or cut a password... Only pasting them might be a good compromise for those who trust passwords managers... That way, you have the main advantage of making harder to users to manually copy one field to another while filling the form (those preventing mistyping to be permanent) while allowing pasting from other sources...
Philippe Mori
-
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password. And this is even more obvious for a confirm password box. If the user mistype its first password, the confirm box help ensure that he has entered the same password twice reducing the chance of an error. Well, in that case, a site should probably disable all copy operations : copy, cut and paste. This is not 100% full proof as it would fails if wrong keyboard is selected or if caps lock is active... If it is a pain to type a password twice, then it would be a pain in the future to retype that password whenever you have to. And for discouraging people to select insecure password, usually there is a minimal length (often 8 characters) and rules like having at least one digit, one characters, one uppercase character and a symbol... Thus, if fact, I would that the problem is that you don't really understand security issues as otherwise, you would not complain about having to type a password twice... Well, if you need to fill a form with many fields (like 10 fields or more) and the validation fails (say the site want phone numbers using 000-111-2222 format and you used (000) 111-2222 instead, or haven't filled a required field), then having to retype the password then begin to be somewhat painful... Although it is possible to make improvements to make the site more user friendly, you don't always want to take much more time to develop a page (or multiple pages) for marginal benefit.
Philippe Mori
Philippe Mori wrote:
he should not be able to reuse an existing password
Let me guess - are you the guy behind the Password has already been used by another user message? :laugh:
Philippe Mori wrote:
This is not 100% full proof
Neither is it fool-proof. ;P (Clearly the spelling of the word fool-proof is not fool-proof.)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
raddevus wrote:
making passwords be limited to a certain length
Which almost invariably means they're not storing them properly. If they were hashing them, the stored value would always be the same length, so there'd be no need for any meaningful limit on the password length. Even worse are the banks which ask for specific characters from your password. Again, they claim this is to increase your security by preventing key-loggers / shoulder-surfers from getting your whole password. The fact that it means they're storing your password in plain-text, or using reversible encryption, seems to pass them by. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Great post and you are absolutely correct. :thumbsup:
Richard Deeming wrote:
Which almost invariably means they're not storing them properly
It is amazing how uninformed many of the sites and developers are about these issues. It's scary. And, it comes as no surprise when Yahoo! has 50 million accounts hijacked. They're one of the ones who limit password length. Ugh!
My book, Launch Your Android App, is available at Amazon.com.
-
Well, at least it should not be possible to copy or cut a password... Only pasting them might be a good compromise for those who trust passwords managers... That way, you have the main advantage of making harder to users to manually copy one field to another while filling the form (those preventing mistyping to be permanent) while allowing pasting from other sources...
Philippe Mori
Consider also, typing your password on your phone or device. It's quite terrible to have to do it if yo have a long / complex password. I believe apps and sites should allow paste always. Doing otherwise encourages users to use easy-to-type passwords which are most likely weak. :)
My book, Launch Your Android App, is available at Amazon.com.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
-
IMHO there is no logic for it since as you mentioned, it makes it a real PITA for those of us with password managers. Those developers should be flogged! :)
"Go forth into the source" - Neal Morse
Flogging's too good for 'em, but I like where you're coming from. :)
-
Philippe Mori wrote:
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password.
It's not about the ability to re-use a password. People who do that (and there are many) probably do it from memory. Paste is required because most of us use password generators these days so we have a nice, thoroughly random 20 character password each time we sign up to something. So having generated a key along the lines of "Rx87Htv01pUWxb2WqkLLp" - to have to type it in twice (on a single screen machine, as it happened) was something of a PITA. To then find out that I'm expected to type it in manually each time I want to log in ...
Philippe Mori wrote:
the problem is that you don't really understand security issues
Well, maybe I don't, but I do know that 8 characters is stupidly short for a password and that people who make up passwords rather than generate them are going to be a whole lot easier to hack than people who use Guids or lengthy random strings. "pa55w0rd" is not a very good password!
For those who trust password managers, then enabling Paste is a good compromise... User is still unable to copy a mistyped password in the first box... When filling a form, often I mistype my password in one box so they mismatch so I really find that the idea is useful...
Philippe Mori
-
You'd only need to type it twice if the password-editbox is hiding what you are typing, which is hardly usefull if you are the only one in the room.
Philippe Mori wrote:
Obviously, if you want user to define a new password for a web site, he should not be able to reuse an existing password, so it really does make sense to prevent pasting password.
Nonsense.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type... The problem is that often you thing you have written right so you won't even bother to read what you have wrote. In my opinion UI like the iPad where one see the password while writing it (last character) make it a bit easier for someone to see your password that to see which letters you type...
Philippe Mori
-
Philippe Mori wrote:
he should not be able to reuse an existing password
Let me guess - are you the guy behind the Password has already been used by another user message? :laugh:
Philippe Mori wrote:
This is not 100% full proof
Neither is it fool-proof. ;P (Clearly the spelling of the word fool-proof is not fool-proof.)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Now I understand why the spelling corrector was not accepting fullproof... English is not my first language so I was thinking "full" like completly proof instead of idiot proof...
Philippe Mori
-
IMHO there is no logic for it since as you mentioned, it makes it a real PITA for those of us with password managers. Those developers should be flogged! :)
"Go forth into the source" - Neal Morse
How a developer who does not use a password manager would have known of such issues. I am a developer and I don't trust much passwords manager so I never used one... (except the one in Windows for network drives) or individual site "remember my password" on some sites. I would never have though that a password manager would have rely on paste... In fact, copy and paste a password has not been allowed in many cases for so long that I haven't tried to copy a password into the confirm box since many years... if I have ever tried it. And obviously, I would have never tried the effect of pasting a password on web site I have developed. It does whatever the browser does by default for password field and I am not even sure of what is the default.
Philippe Mori
-
Eddy Vluggen wrote:
I'd love to hear the 'logic' from the devs themselves.
It will almost certainly be some variation of "because our PHB told us we had to". This isn't a feature some dev has decided to add on their own initiative. It's a management-level decision that's been forced on the devs, because it's what other sites in the sector are doing, so therefore it must be the right thing to do. If you ever query it with the customer support drones, you'll be told it's to increase the security of the site, and they'd "lose their certification" if they changed it. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type... The problem is that often you thing you have written right so you won't even bother to read what you have wrote. In my opinion UI like the iPad where one see the password while writing it (last character) make it a bit easier for someone to see your password that to see which letters you type...
Philippe Mori
Philippe Mori wrote:
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type...
Not "always", and there have been versions where you had the option to show or hide the password while typing.
Philippe Mori wrote:
The problem is that often you thing you have written right so you won't even bother to read what you have wrote.
If the password is hidden then checking it for typo's is not possible. That is why the second textbox come to be. Not because we assume that the user makes a typo in each entry; otherwise you'd have the same two textboxes for your accountname :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
How a developer who does not use a password manager would have known of such issues. I am a developer and I don't trust much passwords manager so I never used one... (except the one in Windows for network drives) or individual site "remember my password" on some sites. I would never have though that a password manager would have rely on paste... In fact, copy and paste a password has not been allowed in many cases for so long that I haven't tried to copy a password into the confirm box since many years... if I have ever tried it. And obviously, I would have never tried the effect of pasting a password on web site I have developed. It does whatever the browser does by default for password field and I am not even sure of what is the default.
Philippe Mori
The thing is, the default properties of a password field are already handled correctly by the browser...allow paste, but not copy/cut. I can't think of a single reason why pasting should not be allowed for a password field.
Philippe Mori wrote:
I would never have though that a password manager would have rely on paste...
Well, that's the real beauty of it to me. I wrote my own password manager, like I'm sure a lot of others here have done. I haven't had to type a username or password in years for most of the websites being managed. My process goes like this: 0: start the password manager and login 1: click the desired website from a list 2: click a button to copy the username to the clipboard 3: launch the site and paste in username 4: click a button to copy the password to the clipboard 5: paste into the password field and login. Done! I refuse to let any browser remember my login credentials for any website, though they continue to ask. Everything's stored in a password protected sqlce database, which works great since I can share it between multiple computers, and even use it on my laptop when away from the office.
"Go forth into the source" - Neal Morse
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
PeejayAdams wrote:
a dev team making some really, really bad UX decisions?
As a developer who does UX, I can tell you it's simple. We're all fuckers.
Software Zen:
delete this; -
Philippe Mori wrote:
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type...
Not "always", and there have been versions where you had the option to show or hide the password while typing.
Philippe Mori wrote:
The problem is that often you thing you have written right so you won't even bother to read what you have wrote.
If the password is hidden then checking it for typo's is not possible. That is why the second textbox come to be. Not because we assume that the user makes a typo in each entry; otherwise you'd have the same two textboxes for your accountname :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
Most site use an email to identify the user so obviously, if you make a mistake, you won't receive the confirmation mail and it would create an orphan account... Obviously, one should do much less typing error on its own name... and he might be able to update it afterward. Even if it is possible to show the password, you would generally have 2 password box anyway. And you often have a confirmation for the email which is always shown.
Philippe Mori
-
Most site use an email to identify the user so obviously, if you make a mistake, you won't receive the confirmation mail and it would create an orphan account... Obviously, one should do much less typing error on its own name... and he might be able to update it afterward. Even if it is possible to show the password, you would generally have 2 password box anyway. And you often have a confirmation for the email which is always shown.
Philippe Mori
Philippe Mori wrote:
Most site use an email to identify the user so obviously, if you make a mistake, you won't receive the confirmation mail and it would create an orphan account...
..this started a bit before the wide-spread use of email.
Philippe Mori wrote:
Obviously, one should do much less typing error on its own name...
You're right, that must have been the reason for the second textbox, silly me. It's not like people can be expected to jot down something important in a single time. So, my bank should ask me to insert amounts twice? And should ask each accountnumber twice? You're making stuff up here.
Philippe Mori wrote:
Even if it is possible to show the password, you would generally have 2 password box anyway.
If you can read the bloody password, then there's no need for a second textbox. It is merely there in case the characters are hidden, which has not always been the default.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Type password wrong, copy, paste the false one... Come back, try to log in using right password. Start :wtf: :wtf: :doh: :doh: :mad::mad: X| X| Not allowing copy paste by the registration... I find it not so bad. Not allowing by loging in... that's one step too much.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
Nelek wrote:
Type password wrong, copy, paste the false one... Come back, try to log in using right password. Start :WTF: :WTF: :doh: :doh: :mad: :mad: X| X|
Click the "Password Reset" or "Forgotten password?" button. Get e-mail with instructions 5 seconds later. No-one loses.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I find it a PITA. Generally, they want two confirmations: Email and password. So I have to type my email in twice - instead of copy'n'paste from my password store. Then I have to do the same with my password. And since I try to use a fresh Guid as my password each time I don't even know (or care) what it is, so typing it is more likely to give a problem than not. And don't even get me started on "what is a valid password" - some insist on upper and lower case, some must have a number, some won't allow special characters, some want 8 letters, some want 10. And they never tell you their arbitrary rules in advance either... :mad:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
OriginalGriff wrote:
And they never tell you their arbitrary rules in advance either
That's the real pisser. They wait until you've clicked the submit button, then clear half the fields (for "security purposes" obviously).
I wanna be a eunuchs developer! Pass me a bread knife!
