What is the possible logic here?
-
Eddy Vluggen wrote:
I'd love to hear the 'logic' from the devs themselves.
It will almost certainly be some variation of "because our PHB told us we had to". This isn't a feature some dev has decided to add on their own initiative. It's a management-level decision that's been forced on the devs, because it's what other sites in the sector are doing, so therefore it must be the right thing to do. If you ever query it with the customer support drones, you'll be told it's to increase the security of the site, and they'd "lose their certification" if they changed it. :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type... The problem is that often you thing you have written right so you won't even bother to read what you have wrote. In my opinion UI like the iPad where one see the password while writing it (last character) make it a bit easier for someone to see your password that to see which letters you type...
Philippe Mori
Philippe Mori wrote:
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type...
Not "always", and there have been versions where you had the option to show or hide the password while typing.
Philippe Mori wrote:
The problem is that often you thing you have written right so you won't even bother to read what you have wrote.
If the password is hidden then checking it for typo's is not possible. That is why the second textbox come to be. Not because we assume that the user makes a typo in each entry; otherwise you'd have the same two textboxes for your accountname :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
How a developer who does not use a password manager would have known of such issues. I am a developer and I don't trust much passwords manager so I never used one... (except the one in Windows for network drives) or individual site "remember my password" on some sites. I would never have though that a password manager would have rely on paste... In fact, copy and paste a password has not been allowed in many cases for so long that I haven't tried to copy a password into the confirm box since many years... if I have ever tried it. And obviously, I would have never tried the effect of pasting a password on web site I have developed. It does whatever the browser does by default for password field and I am not even sure of what is the default.
Philippe Mori
The thing is, the default properties of a password field are already handled correctly by the browser...allow paste, but not copy/cut. I can't think of a single reason why pasting should not be allowed for a password field.
Philippe Mori wrote:
I would never have though that a password manager would have rely on paste...
Well, that's the real beauty of it to me. I wrote my own password manager, like I'm sure a lot of others here have done. I haven't had to type a username or password in years for most of the websites being managed. My process goes like this: 0: start the password manager and login 1: click the desired website from a list 2: click a button to copy the username to the clipboard 3: launch the site and paste in username 4: click a button to copy the password to the clipboard 5: paste into the password field and login. Done! I refuse to let any browser remember my login credentials for any website, though they continue to ask. Everything's stored in a password protected sqlce database, which works great since I can share it between multiple computers, and even use it on my laptop when away from the office.
"Go forth into the source" - Neal Morse
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
PeejayAdams wrote:
a dev team making some really, really bad UX decisions?
As a developer who does UX, I can tell you it's simple. We're all fuckers.
Software Zen:
delete this; -
Philippe Mori wrote:
Password are always hidden on Windows. Newer UI usually have a way to show password. Password being visible is only useful as long as you read what you type...
Not "always", and there have been versions where you had the option to show or hide the password while typing.
Philippe Mori wrote:
The problem is that often you thing you have written right so you won't even bother to read what you have wrote.
If the password is hidden then checking it for typo's is not possible. That is why the second textbox come to be. Not because we assume that the user makes a typo in each entry; otherwise you'd have the same two textboxes for your accountname :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
Most site use an email to identify the user so obviously, if you make a mistake, you won't receive the confirmation mail and it would create an orphan account... Obviously, one should do much less typing error on its own name... and he might be able to update it afterward. Even if it is possible to show the password, you would generally have 2 password box anyway. And you often have a confirmation for the email which is always shown.
Philippe Mori
-
Most site use an email to identify the user so obviously, if you make a mistake, you won't receive the confirmation mail and it would create an orphan account... Obviously, one should do much less typing error on its own name... and he might be able to update it afterward. Even if it is possible to show the password, you would generally have 2 password box anyway. And you often have a confirmation for the email which is always shown.
Philippe Mori
Philippe Mori wrote:
Most site use an email to identify the user so obviously, if you make a mistake, you won't receive the confirmation mail and it would create an orphan account...
..this started a bit before the wide-spread use of email.
Philippe Mori wrote:
Obviously, one should do much less typing error on its own name...
You're right, that must have been the reason for the second textbox, silly me. It's not like people can be expected to jot down something important in a single time. So, my bank should ask me to insert amounts twice? And should ask each accountnumber twice? You're making stuff up here.
Philippe Mori wrote:
Even if it is possible to show the password, you would generally have 2 password box anyway.
If you can read the bloody password, then there's no need for a second textbox. It is merely there in case the characters are hidden, which has not always been the default.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Type password wrong, copy, paste the false one... Come back, try to log in using right password. Start :wtf: :wtf: :doh: :doh: :mad::mad: X| X| Not allowing copy paste by the registration... I find it not so bad. Not allowing by loging in... that's one step too much.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
Nelek wrote:
Type password wrong, copy, paste the false one... Come back, try to log in using right password. Start :WTF: :WTF: :doh: :doh: :mad: :mad: X| X|
Click the "Password Reset" or "Forgotten password?" button. Get e-mail with instructions 5 seconds later. No-one loses.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I find it a PITA. Generally, they want two confirmations: Email and password. So I have to type my email in twice - instead of copy'n'paste from my password store. Then I have to do the same with my password. And since I try to use a fresh Guid as my password each time I don't even know (or care) what it is, so typing it is more likely to give a problem than not. And don't even get me started on "what is a valid password" - some insist on upper and lower case, some must have a number, some won't allow special characters, some want 8 letters, some want 10. And they never tell you their arbitrary rules in advance either... :mad:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
OriginalGriff wrote:
And they never tell you their arbitrary rules in advance either
That's the real pisser. They wait until you've clicked the submit button, then clear half the fields (for "security purposes" obviously).
I wanna be a eunuchs developer! Pass me a bread knife!
-
DavidCrow wrote:
Was it to keep the bots from being able to paste IDs and passwords?
Bots can just do SendKeys. It's extremely easy. As a matter of fact, Norton Internet Security has a onscreen keyboard which allows you to type via SendKeys which is a security safety net in case you have a keylogger and dont know it. SendKeys doesn't generate the keypresses that your keyboard does and keyloggers wouldn't be able to trap your password if you use the Norton onscreen keyboard. I think Kaspersky has this too.
My book, Launch Your Android App, is available at Amazon.com.
Years ago, I made an OSK for precisely that (I was sure that the company had installed keyloggers, but I couldn't install anything or use anything off a disc to find out, so I pretended it was needed within a project). I'll have to see if it still works, in this post-win'95 world. [update] heh. It needs the VB4 runtimes. [update 2] {sigh} now it's all "Error accessing the system registry". I'll have to update the project files, which will probably take longer than it took to write it in the first place.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Years ago, I made an OSK for precisely that (I was sure that the company had installed keyloggers, but I couldn't install anything or use anything off a disc to find out, so I pretended it was needed within a project). I'll have to see if it still works, in this post-win'95 world. [update] heh. It needs the VB4 runtimes. [update 2] {sigh} now it's all "Error accessing the system registry". I'll have to update the project files, which will probably take longer than it took to write it in the first place.
I wanna be a eunuchs developer! Pass me a bread knife!
Mark_Wallace wrote:
Years ago, I made an OSK for precisely that
Very cool that you did that. Especially back in the day (win95). :thumbsup:
My book, Launch Your Android App, is available at Amazon.com.
-
Mark_Wallace wrote:
Years ago, I made an OSK for precisely that
Very cool that you did that. Especially back in the day (win95). :thumbsup:
My book, Launch Your Android App, is available at Amazon.com.
Piece of cake. Just a load of buttons and a sendkeys command based on button number + modifier (Shift only; I didn't need Alt or Ctrl). It took longer to make and line up the buttons than to code.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
It's similar to how they set passwords to expire every 60 days forcing people to write down passwords and stick it on their monitors. Security through wrongly assumed obscurity.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
"I don't use a password manager, so no-one needs one!" Don't tell me you haven't worked with that guy.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I once made a typo in my password that then allowed me to copy and paste the erred password into the confirm box. I had to beg IT to reset it for me.
Follow my adventures with .NET Core at my new blog, Erisia Information Services.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I can tell you what it is: Internal or external security audit has roasted the dev team and they had to make it "more secure" while making it less user friendly at the same time. Happend to us!
-
The point hair who shoved the idea down the developers throats probably assumes the only password manager people would ever use is called passwords.xls (because that's what he uses) and is making the system more secure as a result. To @NathanMinier the ctrl+v loophole you found is probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu. :rolleyes:
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
Dan Neely wrote:
probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu
So sad because it is so true.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
This is the conundrum faced when personal responsibility is rejected in favor of having someone else handhold us though processes constantly. Well meaning coders attempt to prevent someone from copying a incorrectly entered password in the first field into the verification field with these sort of measures. Why? To protect us from ourselves! If we were, to stupid to do such a thing then I guess we'd deserve not knowing what we entered for the password and having to reset it later right (at least that is the way I feel about it). I agree, most users a going to fall on either side of that scenario where they might copy the bad password into the verification field. Instead the more novice user will actually type both fields content manually; where as the more advanced user will be working from a password generator or create a complex password, copy it to a safe then to the verification field. It is one of the massive mistakes of our world to think that we can code correct the human flaw. We cannot. We can only provide for a means for them to resolve their error after the fact with a reset. To do anything else only frustrates the bulk of the user base.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I would assume it's just about making sure the "confirm password" box does its job. Sometimes the clipboard isn't reliable (think screen sharing tools, this bites me all the time when a coworker and I are both looking at the same customer server). Sometimes you may think you hit ctrl-c but you really didn't for whatever reason, and now your password is whatever was sitting in your clipboard. Since they probably hide the password field you won't know what happened and your first interaction with their site will be the password reset page.
-
PeejayAdams wrote:
Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
They probably wanted to avoid looking 'careless' and went overboard with being 'correct'. Requiring the password to be entered and repeated manually can avoid (a little) trouble by making certain that the user was actually able to type the the password twice without error. Also, as I only rarely register at some sites at all, it might be the perfect method to mske me think again about registering.
The language is JavaScript. that of Mordor, which I will not utter here
This is Javascript. If you put big wheels and a racing stripe on a golf cart, it's still a fucking golf cart.
"I don't know, extraterrestrial?" "You mean like from space?" "No, from Canada." If software development were a circus, we would all be the clowns.It was probably not the idea of someone on the Dev team; more likely the requirement came from the Pointy Haired Boss. ;)
