A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
Looking for support?
Looking for a community?
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
Agree. It is a stupid and antiquated idea. Two things I'd like to say though:
One: you can probably set up some form of auto-type from your password manager to get around this issue.
Two: blocking pasting is probably because password managers and operating systems must be secure when it comes to the clipboard, and clipboard management. Because if that's not safe, your passwords you are copying and pasting are not safe.
Two: blocking pasting is probably because password managers and operating systems must be secure when it comes to the clipboard, and clipboard management. Because if thatβs not safe, your passwords you are copying and pasting are not safe.
Yes, but it's not their clipboard, it's not their operating system, why are they breaking basic functionality when my password isn't their responsibility until I have entered into their field and sent it to them?
This is the nannying bullshit I can't stand. They made their shit more difficult to use, not to protect our private information on their servers or saved in their software, but solely because they're concerned about how I'm using the clipboard on my own device.
these days password managers clear the clipboard, still the clipboard is not secure which would be why some still block it.
really its an indication we need to drop User/Pass auth once and for all.
Which has always been an asinine point of view. By the time a site has blocked the paste the password is already in the clipboard. No security has been added in that regard, only frustration.
really its an indication we need to drop User/Pass auth once and for all.
Whatβs a suitable replacement here?
This is one of the dumbest shit ngl. My bank also does this. However they go one step further. They force a maximum 12 letter password and 1 character of each type (capital, small, number, symbol) is necessary. This actively reduces password security smh
Mine truncated the first 8 characters, when I discovered that I sent them a request to their cyber security department and they told me.of was by design.
I closed my account over that bs
My bank also does this shit. It's aggravating to use their website when every step along the way they put the burden of security on the user.
Pasting is disabled on almost every text field, even for things like account numbers (which they make you type in twice) when you want to do a transfer. The only way to log in is to manually type in your username, password, and a damn captcha everytime. The 6 digit 2FA code is the icing on the cake. If you idle for a minute or two, they log you out and force you to go through the whole thing again.
Clipboards (the buffer where copypasta is stored) are a weak link in security because ANY app can expect access to it. If there is malware on your system it generally has access to the clipboard buffer, and therefore any credentials you might paste.
"OK, but usually you only paste the password and type the username?"
Quite true. Keyloggers are also a thing and easy to install on desktop OS, maybe harder on mobile.OS.since (at least on android) you need to grant permissions for keyboard apps. Either way if a keylogger is installed then you're fucked.
It boils down to a bad risk assessment. Those services decided memorized credentials must be manually typed to prevent clipboard snooping at the (likely) cost of reduced password entropy and/or weak MFA (e.g., SMS or email based TOTP). In other words: stupid CISOs.
The problem is, by the time youβve figured out that you canβt paste your password youβve already copied it β¦
uh if you've got a keylogger on your system, clipboard access is not that far away
I just edit the HTML and paste the text in as the value. Sites that do that are jabronis
Hey man I want to thank you for sending me into a time vortex back to the 90s. I forgot about that word.
I love that word! It's the Bomb-Diggity!
Just adding that financial institutions are very hesitant to adopt new technology, and therefore tend to abide by what tech enthusiasts would consider antiquated best practices.
Source: Software engineer in Fintech
Yup, that behavior is notorious with financial institutions. Using old and archaic programming languages and systems that they are too afraid to touch because they don't know how to rebuild it if it crashes. What I do is use passphrases for cases like that, so I can easily type them myself as a last resort. I just check my password manager quickly and then manually enter the password.
Whats that? I cant hear you.
Can you say it again, but in COBOL?
Only, last month Treasury Diirect finally removed the virtual keyboard as the only means of password entry π
I don't believe their passwords are case sensitive yet.
Sure, but the NIST documents referenced in the post are admissible in court. With some creative thinking you can probably help a criminal break your weak password and then put the liability on them because if their webform was correct yoy would have pasted a strong password from your manager.
Edit: I discovered that for Firefox users there's a simpler way than exposing your secrets to someone's third-party addon. Simply open
about:config, search fordom.event.clipboardevents.enabled, and change it from true to false
Note that this disables all DOM/JavaScript clipboard events, so sites that need custom clipboard handling (like Google Docs) won't work properly if you try to copy and paste.
What you can instead do is:
$0.value = 'password' and press enter, with the correct password of course.Same reason some websites still have max password lengths of 12 characters: Bad programmers that don't know what they're doing when it comes to the most basic of security concepts.
Bullshit requirements like that come from product managers.
Programmers would rather be lazy and not have to implement a limit anyway
This one always surprises me. Who the fuck is not hashing passwords? What else is wrong with this site if such basic concepts are ignored?
Highly recommend this extension ::Absolute Enable Right Click & Copy:: available for both FireFox and Chrome
Wow, thank you for that, while we're at it, can we stop websites from fucking with the back history button ? Thanks !!
As always, Firefox steps up against stupid website behavior.
Edit: I discovered that for Firefox users thereβs a simpler way than exposing your secrets to someoneβs third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.
Do NOT do this unless you absolutely know what you are doing and it will break legitimate uses of clipboard on websites. Use it one time and revert immediately.
I have a hotkey that types my clipboard instead of pasting it. Just for this problem.
Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.
Indeed, the upsides to this outweigh the downsides. I can't even remember the last time I needed to re-enable it.
Thank you. Its wonderful to see someone else feesl this way. I feel there are less than there used to be like 5 or 10 years ago but man it urks me. I was really excited by the add on but honestly im not sure I want to give it that permission which stinks. Would love to disable that behavior. Its so stupid to force you to make an easy password.
Step 1: In FireFox, make a new bookmark with the location:
javascript:(function(w){ var arr = ['contextmenu','copy','cut','paste','mousedown','mouseup','beforeunload','beforeprint']; for(var i = 0, x; x = arr[i]; i++){ if(w['on' + x])w['on' + x] = null; w.addEventListener(x, function(e){e.stopPropagation()}, true); }; for(var j = 0, f; f = w.frames[j]; j++){try{arguments.callee(f)}catch(e){}}})(window);
Step 2: Drag the bookmark to your toolbar.
Step 3: ??? ::: When a website does bullshit like not allow you to paste, not allow you to right click, etc. Click the button you made in step 2. :::
Step 4: Profit
It is your browser, your computer. You decide what code runs on it.
Bonus Step: Install something like ublock origin or noscript and stop allowing websites to run any code they like willy nilly on your PC without permission. Half of that crap just tracks you for no real benefit (to you).
Ctrl+shift+L for bitwarden and I'm set. It could be bit of a pain to shift all your passwords from all sources into bitwarden but it pays back well. Same on mobile too. Indispensable tool for me
Because there are sadists in every field.
Some intentions behind this are mentioned in this WIRED article.
Related well-intentioned albeit misguided and possibly harmful concept is annoying password expiration that is also no longer recommended.
Most password managers now have an option to ignore the no paste option for text fields because it became so common. I enabled that quite some time ago and haven't had issues since.
I don't encounter this much, but when I do I am sooooo mad
KeePass has an auto-type feature. It basically presses keystrokes right into the input field.
I never have to worry about sites disabling pasting into fields because:
Also, putting your password on your clipboard is Bad Practice because any application (including a javascript web page) can inspect your clipboard
I have a Windows VDI at my workplace which I completely stopped using when I started with a password manager. The Windows login screen disables paste, and I would have to type in a ~25 character long word of entropy in letters, numbers, casing and symbols.
So I use the Linux VDI instead.
I have a Keyboard Maestro command to type out the clipboard instead of pasting it. Some developers just love exerting control over everything. I'm sure this one is done in the name of security, which is silly.