Ask HN: Disabling paste in password boxes - why is it practiced?
I have the practice of disabling paste functionality into password fields. I don't understand why it is necessary - on the contrary - it discourages use of password managers - especially on mobile devices.
The justification by the app builders is that it "improves security". I dont buy it.
Is there a good reason to disable this functionality? What does it improve since automated hacking programs can always by pass it?
62 comments
[ 353 ms ] story [ 1468 ms ] threadAnnoyingly so Apple has taken to this practice in certain OS password fields, like when you need to enter a password to decrypt a FileVault encrypted disk.
[1]: https://qsapp.com/
Ironically, I switched to TurboTax, but didn't have the same issue because the login is done automatically via my bank login.
Does anyone know of a decent online tax app that doesn't disable the pasting of passwords?
I don't use software that disables paste.
(Also, one example doesn't make something true.)
Neither does "I've never seen it being used".
(For the "type your new password twice to change it" fields there's somewhat of a justification: if someone mistypes their password then pastes it twice, they'll be locked out of their account, the point of the double field is to prevent typing errors, which means it should be typed twice.)
Getting email address wrong is far more important, but far fewer things do the same doubling up on that.
I so hate places that make me write my email address twice and disallow pasting, I'm not retarded and it's my own fault if I can't spell my own name (or in this case, email address), especially if I copy-paste it.
You know what? Why don't we make every field double before someone typoes their address and ships it to the wrong place? That'd be such a bad customer experience!
For things like shipping addresses, some types of errors can be assisted with by something that checks plausibility: does that address make sense and do we know that it exists as a shipping address? If not, confirm with the user that it’s actually what they meant.
Email address errors are often the same: basic validation can catch the most common types of errors. http://www.mailgun.com/email-validation is an example of an API to do just that. I think an ideal system would do something like send the confirmation email and listen for a bounce message, showing a message to the user as soon as such a bounce message pops up. Also, showing the email address on the confirmation page for the user, with the ability to change the address there and try again.
There are many such anti-patterns around like requiring "complex" passwords with upper, lower, special, etc. characters yet do not work with >16 characters. Something that pisses me off to no end is Microsoft not allowing spaces in their passwords for some unknown reason.
If it were up to me I would have one limit to passwords, length. A minimum of 12 characters. Sure you will get some moron using aaaaaaaaaaaa but they are the kind of people who will find a way to use an idiotic password no matter what.
The reality is passwords need to die. We should be encouraging pass-phrases.
1. https://hashcat.net/oclhashcat/
A more practical solution is to simply generate a public/private key pair on registration.
So if the password rule is 8 truly random characters, you should be aiming for 8 words in your pass phrase password. This is an easy rule to remember and to teach people.
The actual explanation for this is a little complex and includes things like the average person's vocabulary, known sentence structure inc. transition words, language itself, and enigma cracking techniques.
The biggest criticism phrase based passwords receive is that people go from an 8 character random password to a three word phrase-based password and then act like they've improved security because it contains more characters.
Phrase based passwords can be secure with a little bit of education, even against the best available crackers.
And i dont even own a really good graphic card.
For a different approach, consider the distributed trust authorities of Apache Milagro (incubating):
http://milagro.incubator.apache.org/
Why shouldn't normal people use password managers?
Email is not designed for secure information transfer, in a lot of cases your password will travel in plain text over the network and passing that way potentially over several servers.
And besides that, if they store your password in plain text a way that can be recovered the original version, if that site gets hacked the other sites where you may be using that password or a trivial modification of it (i.e. if you use a base password+site name) will give them your password. Happened to 38M Adobe users 3 years ago https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-pas...
But I do agree it's rather annoying and not allowing paste is even worse.
I actually trust my copy-and-paste more than me not making a typo because I am human. By not allowing paste, websites are asking me to potentially make mistakes.
Perhaps a better solution is for the browser to have a button on <input type="email"> fields to allow me to select from a list of emails I have. The browser needs to protect this data from being website accessible until I give permission for privacy reasons, but that would have been a way better UX.
It adds to the image that passwords are something special and secret if you cannot use basic functionality.
They quickly replied that their entropy estimation was flawed in handling some characters and that they would fix this. They also said that copy/pasting was disallowed as this password should not be stored in any form. I sent them an email back arguing that this policy forces people to use weaker passwords, to which they replied that this would be taken to their product manager.
Now in 2016 they've updated their implementation which allows pasting passwords, making life easier.
What are the reasons that such inquiries often get stonewalled - is it simple organisational complexity, and the difficulty of actually contacting the right individual?
When there is a clear bug it is fairly easy internally for them, since they just need to confirm the issue and send it to the right people to get it fixed.
With the copy-pasting issue, their reply simply stated that disallowing this feature was intentional policy on their part and that their passwords should not be stored in any way. Changing policy and implementation would require a greater effort on their part, and admittance that a suggested change would improve their service.
I then wrote a longer reply, arguing that following their password recommendation for the ~150 online accounts I had at the time would be infeasible without a password manager, and insisted that I would like a reply which did not refer to existing policy. The response to this was that it would be taken to their product manager.
If the person handling the issue didn't care about the company doing the right thing or their job, or if they were convinced that their policy was correct, or if they believed escalating would certainly not lead to change in policy, the issue may not have been escalated. So the people handling issues must care enough to escalate unresolved issues, or the company policy must force escalation of unresolved issues, and at some point in the chain of escalation some person must believe that following the suggestion would result in an improvement.
Windows will paste plain text unless the text field in question is explicitly identified as rich text.
You could also alt-tab over to your IRC client (IRC because this was state of the art probably about when this practice started) and forget what is in your clipboard and paste+enter quickly.
I don't think this is a _good_ reason to do it, but that was why I thought it was done. I have no idea if that's the real reason it got started though.
My biggest beef is the constant asking "do you want the browser to insecurely save this?" How did that become the default? No wonder people can't remember passwords if they never type them. I use many machines, and multiple browsers per machine and I don't synchronize them, so changing the remember passwords setting is such a chore I usually stick to clicking "remember never".
I don't think I can recall (dozens of years of computing) ever having a password hacked. Privilege escalation is the main threat.
The main reason is the clipboard is plain text and shared with everything. I recently had it last week where my other half was using my laptop. The cat walked over the keyboard and she wondered where this person's name had come from. Turns out it was from me using the clipboard 5 days earlier.
It dawned on me then, the clipboard needs a time limit. It needs to clear after an hour of inactivity, it needs to clear on resume.