33 comments

[ 4.9 ms ] story [ 78.3 ms ] thread
This all seems rather bonkers. But 1Password isn't exactly the impartial "they've spent more time thinking about this so they must get it right" party. Their entire product and way of thinking depends on being able to auto-enter passwords. Anything that interferes with that, regardless of whether it works or not, is going to get a thumbs-down from them.

As for pasting into the second password field on change-password, maybe they don't want people copying out of the original field and pasting into the second? I'd get that, and the organization-wide costs of password recovery are probably very significant for a company like PayPal. . . . But don't all browsers already disable copying out of password fields?

This is the silliest kind of arms race. Users try to keep ahead of security nonsense, and self-styled security gurus keep on trying to stop them.

> But 1Password isn't exactly impartial ... their entire product and way of thinking depends on being able to auto-enter passwords.

You're not just talking about a product, 1Password, you're talking about the whole class of password managers - 1Password, KeePass, lastpass etc. http://lifehacker.com/5944969/which-password-manager-is-the-...

There are many and they all do this. Many of them also offer "auto-type" i.e. simulated keystrokes, as an alternative to paste. It works even when paste is disabled.

On the whole, using a password manager is a very good thing: http://anthonysteele.co.uk/nobody-knows-anything-about-passw... http://www.troyhunt.com/2011/03/only-secure-password-is-one-...

He wasn't asking 1Password if it's a good idea, he was asking them why developers disable pasting. It's precisely because their livelihoods depend on being able to auto-enter passwords, that they're likely to know the answer.
I hope everybody who thinks it's a good idea to "forbid" pasting in password fields at least uses the same trick (onpaste="return false" or something similar) so that I can remove that attribute from the HTML before pasting my password like the insubordinate fool I am. :P

Blizzard does the same as Paypal, I noticed: not allowing pasting of passwords when changing passwords, but you can paste it when logging in. Thankfully, I noticed yesterday, Starcraft II allows me to paste the password in-game! That was a nice surprise. Looks like they've given their policy some thought, at least.

The only reason I can think of is perhaps reducing the risk of people not knowing their password when accidentally pasting the wrong thing in the password fields. It's possible that your clipboard contains something else since you copied your password. Which is understandable, but it seems to me like they're replacing one problem with another whereby everybody gets to deal with the new one, whereas the old problem could be circumvented with a password-forgotten function that everybody has anyway.

Yeah, not a big fan of this practice all in all.

Isn't it done to prevent some sort of exploit? Though I can't quite imaging what - selecting and copying (scraping) would be far more dangerous. The original exploit was of that type - a paper system console was replaced by a CRT, and some clever person sent a log message that did cursor-control, select and copy, and sent that back to themselves thus copying the sysadmin's login credential.
There's a _ton_ of issues with account stealing for Blizzard (selling WoW gold is profitable business, and stealing it from players is easier than farming it), so their password recovery process can be a bit... cumbersome.
> It's possible that your clipboard contains something else since you copied your password.

Give me the option to view the password I've just entered, then, instead of obfuscating everything beyond comprehension. If I have to type my secure password, there's a good chance I'll introduce a typo anyway.

Disabling paste makes sense when setting your password.

If presented with two input fields for password & confirm your password, the lazy among us will type the desired new password in the first input box, then copy the contents and paste into the second... if you type it incorrectly in the first box you then have to reset it before you can log in again.

Browsers disable copy on password fields.
hah, I was in firefox at the time and checked that I can copy and paste between password fields, it appeared to work.

I didn't look at what had been inserted into the clipboard though, it was just the asterisk characters visually displayed in the password field.

For throw away accounts I paste my password on the browser URL field and drag to the password input. So hardcore.
I hope you're not doing this in a browser like, for example, Chrome, where it sends everything you type into the address bar to Google.
There's an extra reason why pasting might be disabled on password creation fields: to prevent typos. If I mistype my password in the first box and then copy-paste it into the second, the text will match and my account gets given the mistyped password. You'll then never be able to log in.

If you force the user to type the password in twice, typos will be spotted immediately and can be fixed.

None of this affects password lockers like LastPass since they can autofill these forms in despite the HTML.

The thing is, you can't copy FROM a password field. So you need to type it somewhere else first, and it will probably be readable there.
Wooosh! Time to re-read your "HTML for Dummies book"
I just came here to say the same thing. I remember, way back when, that this felt like the most natural thing in the world: type my password once, and then copy and paste what I just wrote to save myself the effort of typing it again. I eventually figured out why that was a bad idea (possibly after hitting a site or two that blocked copy/paste just like this).

I think it can create problems for some password managers, too: there are at least a few options out there that aren't based on browser extensions at all, so copy/paste is the expected interface.

What actually happens is you don't get locked out. You merely have to reset your password via email.

(Of course there is serious business that won't let you reset a password via email, but you can reset it... the process is simply more involved.)

Why would you ever type in a password when setting up an account? If you've generated a password, you can cut and paste that. Anything "random" you type is likely to be biased.

Why would you ever type in a password when setting up an account?

The overwhelming majority of users do, I'll bet.

The possibility that this completely ignores is pasting the password twice. The best passwords are randomly generated, lots of what looks like line noise, and very long. Computers are very good at making these passwords, so much so that programs exist solely for the purpose. Some password managers even have them built in. So, you want to create a new account (or change a password), what do you do? Randomly generate, then cut and paste twice (three times, if your password manager is not the same as your password generator). Disabling cut and paste kills this process, leading to the possibility of typos or weak passwords, thereby decreasing security. And, NB, not all password managers can autofill despite the HTML, and quite frankly, they shouldn't have to work around this misfeature masquerading as security.
I imagine that some of the examples are just left over from when browsers were allowing reading from the clipboard from js. In which case having a password in your clipboard was a huge security vulnerability.

Even if the issue has been resolved, few companies seem to be in a hurry to remove parts of their security policy.

I'm told not to use easy to guess passwords, so I generate them randomly with Apple's Keychain. I can't possibly remember a random password, so I store them in a text file which I diligently encrypt with a strong master password I remember. Now, if you don't let me paste my passwords I don't have any means to sign in, other than typing a long string of numbers, letters and symbols or picking a simple, non secure password. This practice punishes security conscious users and benefits no one. Please stop doing that.
This bit me in the ass the other day when trying to change my PayPal password (because, you know, the company that owns them can't be trusted to securely manage my password in the first place). So not only could the 32-byte hexadecimal password I'd generated not be used at all, I had to manually type out the first 20 characters of it. Twice. The punchline was that PayPal rates the password as "fair" whilst hindering the best method of making it more secure.
Two things. 1) Change password screens want you to enter the new password twice so that a typo doesn't end up in your password and prevent your own access in the future. If you copy/paste you will be copying any typo and circumventing this mild protection. 2) The whole time I kept thinking this forces people to type their password which makes it an easy target for key loggers - which are AFAICT designed to snif user credentials.
You cannot copy a mistyped password, because password fields by default forbid copying.
If I can't paste directly, I'll paste it elsewhere (except URL address bars). And I must ensure that I did not copy password right before I open a flash.
Some of these policies (like not allowing paste into change-password fields) I can understand conceptually; for example, you don't want someone to mistype their password, paste it twice, and then not be able to get in again later. This example works around problems that most people have, and really screws over people who use secure passwords and password managers.

It's that old pattern of trying to be 'clever' to work around a problem, which in turn screws over anyone who doesn't actually have that problem, akin to plugging a sideways AC adapter[1] into a horizontal power strip[2]. The sideways AC adapter is a suitable workaround if you don't have a sideways power strip, but if you do it's often much worse (especially if you have two to plug in).

Perhaps LastPass et al should provide a browser extension to prevent this kind of behaviour in the first place (e.g. removing onpaste events from password fields).

[1] http://i.imgur.com/zMSX7K2.jpg [2] http://i.imgur.com/AFfgq9a.jpg

for example, you don't want someone to mistype their password, paste it twice

And right there, you've made the wrong assumption that so many have in this thread; the whole point of password managers is that you're not typing anything in, ever. You generate the password, preferably in your password manager, then paste it twice. No possibility of typos.

I downloaded Hawken and played it once and enjoyed. When I went to play again I realized that I would have to type my 20 character random password in in order to be able to play, alt tabbing between the password manager and the game repeatedly.

I uninstalled the game.

I thought Hawken completely moved to Steam. It still asked for your password?
The opposite should be true: you should only be allowed to paste passwords.

In fact password keepers should put passwords onto the clipboard into some custom format that the password controls know about so that you have to paste from a tool. And then mandate that the password is at least 256 characters long. That would help move us in the right direction.

While I'm hoping this is a hyperbolic suggestion, it's almost certainly a bad idea to use the clipboard for this sort of thing, because none of that is sandboxed properly, and creating a special format that says, "I'M A PASSWORD" sounds to me like designing an API for malware authors, frankly.

At the moment, it seems like copy-paste in passwords is a nice intermediate step between the "password you can remember" era and an era where we have secure keyring managers. In the end, you can imagine that you'd want them stored not on the clipboard (where anything - including Javascript running on a site - can get them easily), but in a secured area of memory, and entered on demand on trusted sites.

1. Disable js. 2. Paste. 3. Reenable js. (Of course this assumes you're using a browser where it is easy to disable js.)