What is the possible logic here?
-
Years ago, I made an OSK for precisely that (I was sure that the company had installed keyloggers, but I couldn't install anything or use anything off a disc to find out, so I pretended it was needed within a project). I'll have to see if it still works, in this post-win'95 world. [update] heh. It needs the VB4 runtimes. [update 2] {sigh} now it's all "Error accessing the system registry". I'll have to update the project files, which will probably take longer than it took to write it in the first place.
I wanna be a eunuchs developer! Pass me a bread knife!
Mark_Wallace wrote:
Years ago, I made an OSK for precisely that
Very cool that you did that. Especially back in the day (win95). :thumbsup:
My book, Launch Your Android App, is available at Amazon.com.
-
Mark_Wallace wrote:
Years ago, I made an OSK for precisely that
Very cool that you did that. Especially back in the day (win95). :thumbsup:
My book, Launch Your Android App, is available at Amazon.com.
Piece of cake. Just a load of buttons and a sendkeys command based on button number + modifier (Shift only; I didn't need Alt or Ctrl). It took longer to make and line up the buttons than to code.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
It's similar to how they set passwords to expire every 60 days forcing people to write down passwords and stick it on their monitors. Security through wrongly assumed obscurity.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
"I don't use a password manager, so no-one needs one!" Don't tell me you haven't worked with that guy.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I once made a typo in my password that then allowed me to copy and paste the erred password into the confirm box. I had to beg IT to reset it for me.
Follow my adventures with .NET Core at my new blog, Erisia Information Services.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I can tell you what it is: Internal or external security audit has roasted the dev team and they had to make it "more secure" while making it less user friendly at the same time. Happend to us!
-
The point hair who shoved the idea down the developers throats probably assumes the only password manager people would ever use is called passwords.xls (because that's what he uses) and is making the system more secure as a result. To @NathanMinier the ctrl+v loophole you found is probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu. :rolleyes:
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
Dan Neely wrote:
probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu
So sad because it is so true.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
This is the conundrum faced when personal responsibility is rejected in favor of having someone else handhold us though processes constantly. Well meaning coders attempt to prevent someone from copying a incorrectly entered password in the first field into the verification field with these sort of measures. Why? To protect us from ourselves! If we were, to stupid to do such a thing then I guess we'd deserve not knowing what we entered for the password and having to reset it later right (at least that is the way I feel about it). I agree, most users a going to fall on either side of that scenario where they might copy the bad password into the verification field. Instead the more novice user will actually type both fields content manually; where as the more advanced user will be working from a password generator or create a complex password, copy it to a safe then to the verification field. It is one of the massive mistakes of our world to think that we can code correct the human flaw. We cannot. We can only provide for a means for them to resolve their error after the fact with a reset. To do anything else only frustrates the bulk of the user base.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
I would assume it's just about making sure the "confirm password" box does its job. Sometimes the clipboard isn't reliable (think screen sharing tools, this bites me all the time when a coworker and I are both looking at the same customer server). Sometimes you may think you hit ctrl-c but you really didn't for whatever reason, and now your password is whatever was sitting in your clipboard. Since they probably hide the password field you won't know what happened and your first interaction with their site will be the password reset page.
-
PeejayAdams wrote:
Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
They probably wanted to avoid looking 'careless' and went overboard with being 'correct'. Requiring the password to be entered and repeated manually can avoid (a little) trouble by making certain that the user was actually able to type the the password twice without error. Also, as I only rarely register at some sites at all, it might be the perfect method to mske me think again about registering.
The language is JavaScript. that of Mordor, which I will not utter here
This is Javascript. If you put big wheels and a racing stripe on a golf cart, it's still a fucking golf cart.
"I don't know, extraterrestrial?" "You mean like from space?" "No, from Canada." If software development were a circus, we would all be the clowns.It was probably not the idea of someone on the Dev team; more likely the requirement came from the Pointy Haired Boss. ;)
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Try double clicking a word on this page. In both chrome and Edge when you double click to highlight a word you also get an extra space. So there is a very good chance that if you are copying and pasting a password you will end up with an extra space on the end that you did not intend to be there. And all the people who say hackers don't use the front-end are very narrow-minded about what hackers do and how. Check out this story about someone used Selenium in a hack of Amazon that got the perpetrator millions of dollars. Redirect Notice[^]
-
Make sure you complain to them and tell them the reason you just stated here. It's pure ignorance. You have to combat ignorance or it will continue to spread. I have to tell this story: I had an account that was worse than that. Apparently, their site only accepted passwords of 8 characters or less, but THEY DIDN'T TELL YOU! There was no indication on their site whatsoever. So I would change my password (my default was 16 chars), go to login in 5 seconds later, and it said "password invalid". This is not possible because I was pasting my password from Keepass that I JUST SET! Every single time I logged on I would have to call their tech support to reset my password. And every time I reset it, I was locked out again. Their own tech support people couldn't even figure it out. I finally figured it out myself because I noticed after the tenth time that every time I was emailed a temporary password it was exactly 8 characters. I tried dumbing down my password to 8 chars and low and behold it worked! Their application was only recording the first 8 characters of what you put in the web form. Then you paste in the exact same password next time and it would fail if it was longer than 8. I told them about the bug and you what their response was? [crickets] So I closed my account. Dumb-asses. If they won't listen to reason, then just walk away. Maybe eventually they will get the message.
I also faced a problem with a site which limited passwords to 8 characters, but pasting my original longer password didn't fail, it probably truncated that one too to 8 characters before doing the comparison. I faced a problem when I had to change my password and the first 8 characters were the same but the ending was different, it was returning me an error saying that my new password had to be different than the old one.
-
There is no point to have a Confirm password box if you can copy and paste the main password box... as an error in the first one would be duplicated in the second one. The purpose of the Confirm box is to ensure that you are able to write the same thing twice which is really a good thing as if you are not able to do that when you register, then how hard would it be to type the password when you login the next time?
Philippe Mori
Your logic (and in fact the whole way you go about thinking about these things) is flawed. The purpose of a confirmation box is to help assure that the user's action matches their intent. For users who enter passwords manually (which is the vast majority), the confirmation box achieves its purpose, regardless of whether paste is enabled. For users who enter via copy/paste, the confirmation box serves little purpose, but disabling paste increases user error for no good reason. The only thing that actually makes sense is to disable copying of the password box, so that any pasting would have to come from some other source, as a password manager. You have two basic errors here: 1) instead of analyzing cases for whether confirmation boxes are useful when paste is allowed, you identify a case in which it isn't and then wildly generalize, saying that they aren't helpful at all. 2) Rather than considering what the purpose of a confirmation box is, you only attend to its effect -- forcing people to type something twice -- and note that allowing paste potentially removes that effect ... quite overlooking the fact that, for passwords copied from another source such as a password manager, the confirmation box isn't necessary for its intended purpose (and disabling paste even acts against that purpose).
-
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site... Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
Philippe Mori
That's utterly absurd.
-
I was signing up to a website yesterday only to find that they had disabled pasting into the password and confirm password fields. Not only that, but having completed the painful process of registering (they had also disabled auto-complete) I found that they also don't allow pasting into the username/password boxes at login time. Personally I fail to see how any of this achieves anything beyond: 1) Making their website a complete pain in the bottom. 2) Encouraging people to use short and memorable passwords - which is surely not a good idea on a site that handles money. Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
Disabling pasting just increases user error for those users copying from a password generator. What does make sense is to disable copying of the password field, so that people manually entering passwords can't just enter it, copy it, and then paste it. Those copying from another source such as a password generator can just paste twice, with little inconvenience.