10 comments

[ 4.0 ms ] story [ 46.0 ms ] thread
No.

This is such a terrible idea I cannot wrap my head around why any one thinks pasting a password is a vulnerability. If someone is on the system and can see the clip board, you are screwed regardless.

The better question I'm interested in: is there any good way to easily disable password-paster-disablers?
In Firefox, you can go to about:config, and set dom.event.clipboardevents.enabled to false.

This will deny the page access to clipboard events, so it shouldn't block the paste.

This is the only sensible reason I've read so far, from a comment in that thread:

"There are behavioral biometrics solutions where profiles are built based on keystroke dynamics etc. which allow with a high degree of certainty to identify if a user that enters the credentials is indeed the user we expect. Credentials are true or false. If somebody has your credentials he is able to authenticate. This is why i would like to know if the person who is entering the correct credentials is indeed the person that we expect to know them. Username and password have to be entered every time during the login process so those fields are pretty interesting to check if such a solution is deployed at the organisation. This is not possible if somebody copy/pastes their password."

Nevertheless, I strongly feel that this is not reason enough to disable paste.

Password managers clears the clipboard after a specified timeout (if the clipboard still contains the password at that point).

For KeePass I think the default timeout is 30 seconds.

The reason for this type of password security theatre is that it maintains the fantasy world of purely human password management:

1. Every password only ever exists inside the brain of the user, or inside the password entry field in the UI of the application at the time of login.

Unfortunately there are additional requirements, which make it impossible for anyone who is not superhuman to satisfy the first requirement:

2. All passwords should be unique across applications (or websites)

3. All passwords are long and random enough that they cannot be guessed by password-cracking software in a reasonable amount of time.

4. There is an ever-growing list of applications and websites that require passwords.