Bad Ideas In Security: Paste Frustration
-
Does your password manager not offer an option to simulate keystrokes to enter your password, rather than blindly relying on the clipboard? (I have no idea - I don't use a password manager - at least nothing that'll try to type in anything for me out of "convenience")
-
raddevus wrote:
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous.
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents. And be sure to name the bank by name :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
Eddy Vluggen wrote:
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents.
:thumbsup::thumbsup::thumbsup: I love this idea because I'd love to embarrass them. It would be a helpful lesson for them.
-
raddevus wrote:
But how could the paste functionality EVER be an exposure?
In order to paste, you have to have previously copied your password to the clipboard, and it stays there until cleared. That's a security risk right there. Actually, I've been concerned about copying my password to the clipboard for a while now.
I live in Oregon, and I'm an engineer.
patbob wrote:
and it stays there until cleared
Not if you're using a decent password manager. For example, KeyPass gives you a 30-second countdown, and then clears the clipboard. Although quite how that will work with the new "Cloud Clipboard" feature remains to be seen. :~
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
raddevus wrote:
But how could the paste functionality EVER be an exposure?
In order to paste, you have to have previously copied your password to the clipboard, and it stays there until cleared. That's a security risk right there. Actually, I've been concerned about copying my password to the clipboard for a while now.
I live in Oregon, and I'm an engineer.
patbob wrote:
Actually, I've been concerned about copying my password to the clipboard for a while now.
But to get to the clipboard the malicious software* has to be running something that runs in your user context and that means your computer is already taken over. Also, that is why they could allow just the paste functionality because it would be up to the user then to copy into the clipboard or not. Fear of paste is akin to not allowing the user to turn on the oven because a malicious person may have placed a stick of dynamite in it unbeknownst to the cook. :rolleyes: *Here's an explanation of this principle at stackoverflow (see item marked as answer) -- Is a password in the clipboard vulnerable to attacks? - Information Security Stack Exchange[^]
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
raddevus wrote:
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous.
To which the customer support drone, who knows nothing of technology or security, presumably replied with the canned "This is for your protection" response?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
raddevus wrote:
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous.
To which the customer support drone, who knows nothing of technology or security, presumably replied with the canned "This is for your protection" response?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
, presumably replied with the canned "This is for your protection" response?
:thumbsup: That is the exact reply I got. We are just trying to protect you. I replied and told them "...thanks for protecting me from Sasquatch, the Loch Ness Monster and Chupacabra too. So far it is only your security that has kept me safe." :laugh: :laugh:
-
Eddy Vluggen wrote:
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents.
:thumbsup::thumbsup::thumbsup: I love this idea because I'd love to embarrass them. It would be a helpful lesson for them.
If you get the paper to publish your letter... :sigh:
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
patbob wrote:
Actually, I've been concerned about copying my password to the clipboard for a while now.
But to get to the clipboard the malicious software* has to be running something that runs in your user context and that means your computer is already taken over. Also, that is why they could allow just the paste functionality because it would be up to the user then to copy into the clipboard or not. Fear of paste is akin to not allowing the user to turn on the oven because a malicious person may have placed a stick of dynamite in it unbeknownst to the cook. :rolleyes: *Here's an explanation of this principle at stackoverflow (see item marked as answer) -- Is a password in the clipboard vulnerable to attacks? - Information Security Stack Exchange[^]
raddevus wrote:
But to get to the clipboard the malicious software* has to be running something that runs in your user context and that means your computer is already taken over.
Or you are running remote desktop in a windows server... Then you can paste what other person has copied :doh: :doh: (And yes... this is true, and I don't know what to do: To cry or to laugh)
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Richard Deeming wrote:
, presumably replied with the canned "This is for your protection" response?
:thumbsup: That is the exact reply I got. We are just trying to protect you. I replied and told them "...thanks for protecting me from Sasquatch, the Loch Ness Monster and Chupacabra too. So far it is only your security that has kept me safe." :laugh: :laugh:
raddevus wrote:
thanks for protecting me from Sasquatch, the Loch Ness Monster and Chupacabra too. So far it is only your security that has kept me safe." :laugh: :laugh:
My sarcasmometer just blew up LOL :thumbsup::thumbsup::thumbsup: :laugh: :laugh: :laugh:
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Eddy Vluggen wrote:
Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents.
:thumbsup::thumbsup::thumbsup: I love this idea because I'd love to embarrass them. It would be a helpful lesson for them.
-
dandy72 wrote:
Does your password manager not offer an option to simulate keystrokes
Simulating keystrokes is more difficult in an Android app and it is the Android app that they (bank) removed the paste ability from.
I see. As far as I'm concerned...considering the number of Android devices out there that have known exploits that'll never be patched, because OEMs can't be bothered...all banks should block Android altogether. I rarely side with banks, but Android device vendors are downright irresponsible. IMNSHO.
-
Eddy Vluggen wrote:
You better stock up on lawyers then
Exactly why I have not written the article. :sigh: However, did you see the update to my post? I found an article from the National Cyber Security Centre which also has links to Troy Hunt's explanation on why pasting is safe and important and it has a link to a Wired article 2015 which has very interesting info on why pasting should(must) be available in apps.
-
I see. As far as I'm concerned...considering the number of Android devices out there that have known exploits that'll never be patched, because OEMs can't be bothered...all banks should block Android altogether. I rarely side with banks, but Android device vendors are downright irresponsible. IMNSHO.
Ok, I can accept that Android devices are vulnerable. That's fine. But, then, the resolution for the bank is not to disallow pasting...it is to disallow the use of an Android device altogether. In other words, they shouldn't have ever created an Android app in the first place. I would accept that decision more readily than the blocking paste solution. But then that would mean they needed to block the web site from Android Web browsers too. :-D It would be interesting and funny if the bank just came out and said, "Sorry, you can only use our e-banking via Apple devices."
-
Eddy Vluggen wrote:
You better stock up on lawyers then
Exactly why I have not written the article. :sigh: However, did you see the update to my post? I found an article from the National Cyber Security Centre which also has links to Troy Hunt's explanation on why pasting is safe and important and it has a link to a Wired article 2015 which has very interesting info on why pasting should(must) be available in apps.
-
-
lw@zi wrote:
Come to think of it, with Aussies and their compulsive behaviour to shorten up words, you might as well be referred to as Raj.
It's kind of why I said it's likely to be "another Raj". That, and the outsourcing to India. :-)
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
Not being able to past my password or using a password manager will force me to use a password that potentially are unsafe because I need to write them down or they are easy to guess.
-
Eddy Vluggen wrote:
So, if I find the tweet, I'll know the bank by name?
:laugh: :laugh: I hope you find it. :thumbsup: It was a DM (direct message) tweet though so I don't think you can see it in my twitter. Good luck though! :thumbsup:
-
Not being able to past my password or using a password manager will force me to use a password that potentially are unsafe because I need to write them down or they are easy to guess.
-
Ok, I can accept that Android devices are vulnerable. That's fine. But, then, the resolution for the bank is not to disallow pasting...it is to disallow the use of an Android device altogether. In other words, they shouldn't have ever created an Android app in the first place. I would accept that decision more readily than the blocking paste solution. But then that would mean they needed to block the web site from Android Web browsers too. :-D It would be interesting and funny if the bank just came out and said, "Sorry, you can only use our e-banking via Apple devices."
