Bad Ideas In Security: Paste Frustration
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
A large bank will have a dedicated team of security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence. You cannot blame the developers for such idiocy, they may even have protested the change.
Never underestimate the power of human stupidity RAH
-
A large bank will have a dedicated team of security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence. You cannot blame the developers for such idiocy, they may even have protested the change.
Never underestimate the power of human stupidity RAH
Mycroft Holmes wrote:
security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence.
:thumbsup: That's a great explanation and exactly what I thought.
Mycroft Holmes wrote:
You cannot blame the developers for such idiocy,
:thumbsup: Very good point and I guess I was really thinking of the security team...not the devs. Over all it is just craziness. Making things unusable so the security team can feel like they're doing something important.
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
I know of a certain national bank that only allows letters and numbers. No punctuation or special characters. I swear they actually WANT their customers to have their accounts ripped off.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave Kreskowiak -
Mycroft Holmes wrote:
security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence.
:thumbsup: That's a great explanation and exactly what I thought.
Mycroft Holmes wrote:
You cannot blame the developers for such idiocy,
:thumbsup: Very good point and I guess I was really thinking of the security team...not the devs. Over all it is just craziness. Making things unusable so the security team can feel like they're doing something important.
As much as I denigrate them for some of their blunders I would not have their job for quids. Trying to keep in front of the bastards attempting to hack the banks must be a nightmare.
Never underestimate the power of human stupidity RAH
-
I know of a certain national bank that only allows letters and numbers. No punctuation or special characters. I swear they actually WANT their customers to have their accounts ripped off.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave KreskowiakDave Kreskowiak wrote:
I swear they actually WANT their customers to have their accounts ripped off.
It really does feel that way in some of these cases, because the logic they use is so bad. I also know that many only allow your password to be only 16 chars in length (or shorter) even though password length is the one thing that actually strengthens passwords. It's crazy.
-
As much as I denigrate them for some of their blunders I would not have their job for quids. Trying to keep in front of the bastards attempting to hack the banks must be a nightmare.
Never underestimate the power of human stupidity RAH
Mycroft Holmes wrote:
Trying to keep in front of the bastards attempting to hack the banks must be a nightmare.
Yeah, I can agree with that. But, it seems like they'd focus on creating the smallest exposed footprint and work on that instead of things like the paste feature. I can't actually imagine the security people explaining how the paste feature could be dangerous. Security guy: So, yes, we must remove the user's ability to paste into the pwd field because it is extremely dangerous. It's huge security hole. Bank's IT Manager: Can you give me 2 examples of how pasting into that field would be dangerous? Security guy: Well, they could paste special extended characters, maybe? Bank IT Manager: Shouldn't the back-end handle that? Security guy: well, they could paste um...errrr...well, pasting is just bad that's all. Andy why would any legitimate user want to paste? I think only crackers paste. :|
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
I completely understand your frustration. I also hate websites (mostly banks) that disable pasting on their websites and just for gigs, they'll need me to type certain things like account numbers, BSB code, etc. twice. I use Don't Fuck With Paste[^] extension on Chrome and tell them straight off. I'll copy, paste, cut, do whatever the hell I want on my computer. I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice. I'd have rambled on a bit more if this was the soapbox, but the kid sister is watching so I'll go play merry-go-round instead. :|
-
I completely understand your frustration. I also hate websites (mostly banks) that disable pasting on their websites and just for gigs, they'll need me to type certain things like account numbers, BSB code, etc. twice. I use Don't Fuck With Paste[^] extension on Chrome and tell them straight off. I'll copy, paste, cut, do whatever the hell I want on my computer. I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice. I'd have rambled on a bit more if this was the soapbox, but the kid sister is watching so I'll go play merry-go-round instead. :|
Rajesh R Subramanian wrote:
I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice.
I think disabling paste in password boxes are a great idea when it comes to securing customers, their data and money. Please tell me what you think of me now (give your best shot!). :) BTW, thanks for that extension.
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[^]
-
Rajesh R Subramanian wrote:
I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice.
I think disabling paste in password boxes are a great idea when it comes to securing customers, their data and money. Please tell me what you think of me now (give your best shot!). :) BTW, thanks for that extension.
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[^]
I did ramble on a bit a few days ago about the "security" built into a *(%@_# movie ticket booking website here. Passwords must be > 93 characters long and must not contain your grandma's maiden name[^]. You did ask me to do it. Therefore folks, do direct all hate towards lw@zi for me posting a soapbox link here. :)
-
I did ramble on a bit a few days ago about the "security" built into a *(%@_# movie ticket booking website here. Passwords must be > 93 characters long and must not contain your grandma's maiden name[^]. You did ask me to do it. Therefore folks, do direct all hate towards lw@zi for me posting a soapbox link here. :)
-
Dave Kreskowiak wrote:
I swear they actually WANT their customers to have their accounts ripped off.
It really does feel that way in some of these cases, because the logic they use is so bad. I also know that many only allow your password to be only 16 chars in length (or shorter) even though password length is the one thing that actually strengthens passwords. It's crazy.
I know some than only use a PIN :doh:
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
I completely understand your frustration. I also hate websites (mostly banks) that disable pasting on their websites and just for gigs, they'll need me to type certain things like account numbers, BSB code, etc. twice. I use Don't Fuck With Paste[^] extension on Chrome and tell them straight off. I'll copy, paste, cut, do whatever the hell I want on my computer. I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice. I'd have rambled on a bit more if this was the soapbox, but the kid sister is watching so I'll go play merry-go-round instead. :|
-
I know some than only use a PIN :doh:
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
Does your password manager not offer an option to simulate keystrokes to enter your password, rather than blindly relying on the clipboard? (I have no idea - I don't use a password manager - at least nothing that'll try to type in anything for me out of "convenience")
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
raddevus wrote:
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous.
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents. And be sure to name the bank by name :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
raddevus wrote:
But how could the paste functionality EVER be an exposure?
In order to paste, you have to have previously copied your password to the clipboard, and it stays there until cleared. That's a security risk right there. Actually, I've been concerned about copying my password to the clipboard for a while now.
I live in Oregon, and I'm an engineer.
-
Does your password manager not offer an option to simulate keystrokes to enter your password, rather than blindly relying on the clipboard? (I have no idea - I don't use a password manager - at least nothing that'll try to type in anything for me out of "convenience")
-
raddevus wrote:
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous.
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents. And be sure to name the bank by name :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
Eddy Vluggen wrote:
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents.
:thumbsup::thumbsup::thumbsup: I love this idea because I'd love to embarrass them. It would be a helpful lesson for them.
-
raddevus wrote:
But how could the paste functionality EVER be an exposure?
In order to paste, you have to have previously copied your password to the clipboard, and it stays there until cleared. That's a security risk right there. Actually, I've been concerned about copying my password to the clipboard for a while now.
I live in Oregon, and I'm an engineer.
patbob wrote:
and it stays there until cleared
Not if you're using a decent password manager. For example, KeyPass gives you a 30-second countdown, and then clears the clipboard. Although quite how that will work with the new "Cloud Clipboard" feature remains to be seen. :~
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
