this post was submitted on 19 Jul 2023
742 points (98.2% liked)

Asklemmy

43856 readers
2267 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

It's 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it's recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don't have to memorize anything or know a single digit/character!

I have to use the Don't Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.

There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying "password paste-in" as antiquated/bad advice:

Verifiers SHOULD permit claimants to use β€œpaste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets

Edit: I discovered that for Firefox users there's a simpler way than exposing your secrets to someone's third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.

Edit 2: As some have pointed out, that config value interferes with regular functionality on some sites. Probably best to leave it alone unless you know what you're doing.

top 50 comments
sorted by: hot top controversial new old
[–] t0fr@lemmy.ca 107 points 1 year ago (3 children)

Agree. It is a stupid and antiquated idea. Two things I'd like to say though:

One: you can probably set up some form of auto-type from your password manager to get around this issue.

Two: blocking pasting is probably because password managers and operating systems must be secure when it comes to the clipboard, and clipboard management. Because if that's not safe, your passwords you are copying and pasting are not safe.

[–] deweydecibel@lemmy.world 82 points 1 year ago* (last edited 1 year ago)

Two: blocking pasting is probably because password managers and operating systems must be secure when it comes to the clipboard, and clipboard management. Because if that’s not safe, your passwords you are copying and pasting are not safe.

Yes, but it's not their clipboard, it's not their operating system, why are they breaking basic functionality when my password isn't their responsibility until I have entered into their field and sent it to them?

This is the nannying bullshit I can't stand. They made their shit more difficult to use, not to protect our private information on their servers or saved in their software, but solely because they're concerned about how I'm using the clipboard on my own device.

[–] manitcor@lemmy.intai.tech 25 points 1 year ago (3 children)

these days password managers clear the clipboard, still the clipboard is not secure which would be why some still block it.

really its an indication we need to drop User/Pass auth once and for all.

[–] muddybulldog@mylemmy.win 45 points 1 year ago* (last edited 1 year ago)

Which has always been an asinine point of view. By the time a site has blocked the paste the password is already in the clipboard. No security has been added in that regard, only frustration.

[–] NewNewAccount@lemmy.world 15 points 1 year ago (14 children)

really its an indication we need to drop User/Pass auth once and for all.

What’s a suitable replacement here?

[–] 4am@lemmy.world 9 points 1 year ago (2 children)
load more comments (2 replies)
load more comments (13 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] iamak@infosec.pub 75 points 1 year ago (10 children)

This is one of the dumbest shit ngl. My bank also does this. However they go one step further. They force a maximum 12 letter password and 1 character of each type (capital, small, number, symbol) is necessary. This actively reduces password security smh

[–] lenathaw@lemmy.ml 20 points 1 year ago (7 children)

Mine truncated the first 8 characters, when I discovered that I sent them a request to their cyber security department and they told me.of was by design.

I closed my account over that bs

load more comments (7 replies)
[–] dekatron@lemmy.fmhy.ml 11 points 1 year ago (1 children)

My bank also does this shit. It's aggravating to use their website when every step along the way they put the burden of security on the user.

Pasting is disabled on almost every text field, even for things like account numbers (which they make you type in twice) when you want to do a transfer. The only way to log in is to manually type in your username, password, and a damn captcha everytime. The 6 digit 2FA code is the icing on the cake. If you idle for a minute or two, they log you out and force you to go through the whole thing again.

load more comments (1 replies)
load more comments (8 replies)
[–] solidgrue@lemmy.world 57 points 1 year ago (2 children)

Clipboards (the buffer where copypasta is stored) are a weak link in security because ANY app can expect access to it. If there is malware on your system it generally has access to the clipboard buffer, and therefore any credentials you might paste.

"OK, but usually you only paste the password and type the username?"

Quite true. Keyloggers are also a thing and easy to install on desktop OS, maybe harder on mobile.OS.since (at least on android) you need to grant permissions for keyboard apps. Either way if a keylogger is installed then you're fucked.

It boils down to a bad risk assessment. Those services decided memorized credentials must be manually typed to prevent clipboard snooping at the (likely) cost of reduced password entropy and/or weak MFA (e.g., SMS or email based TOTP). In other words: stupid CISOs.

[–] QuarterSwede@lemmy.world 110 points 1 year ago (2 children)

The problem is, by the time you’ve figured out that you can’t paste your password you’ve already copied it …

load more comments (2 replies)
[–] R51@lemmy.ml 27 points 1 year ago

uh if you've got a keylogger on your system, clipboard access is not that far away

[–] JoeKrogan@lemmy.world 57 points 1 year ago (2 children)

I just edit the HTML and paste the text in as the value. Sites that do that are jabronis

[–] End0fLine@startrek.website 33 points 1 year ago (3 children)

Hey man I want to thank you for sending me into a time vortex back to the 90s. I forgot about that word.

[–] RobMyBot@lemmy.ml 10 points 1 year ago

I love that word! It's the Bomb-Diggity!

load more comments (2 replies)
load more comments (1 replies)
[–] transientpunk@sh.itjust.works 46 points 1 year ago (5 children)

Just adding that financial institutions are very hesitant to adopt new technology, and therefore tend to abide by what tech enthusiasts would consider antiquated best practices.

Source: Software engineer in Fintech

[–] spacedancer@lemmy.world 11 points 1 year ago* (last edited 1 year ago) (1 children)

Yup, that behavior is notorious with financial institutions. Using old and archaic programming languages and systems that they are too afraid to touch because they don't know how to rebuild it if it crashes. What I do is use passphrases for cases like that, so I can easily type them myself as a last resort. I just check my password manager quickly and then manually enter the password.

[–] Dubious_Fart@lemmy.ml 15 points 1 year ago

Whats that? I cant hear you.

Can you say it again, but in COBOL?

[–] ShakeThatYam@lemmy.world 9 points 1 year ago

Only, last month Treasury Diirect finally removed the virtual keyboard as the only means of password entry πŸ™ƒ

I don't believe their passwords are case sensitive yet.

[–] bluGill@kbin.social 9 points 1 year ago

Sure, but the NIST documents referenced in the post are admissible in court. With some creative thinking you can probably help a criminal break your weak password and then put the liability on them because if their webform was correct yoy would have pasted a strong password from your manager.

load more comments (2 replies)
[–] dan@upvote.au 41 points 1 year ago (2 children)

Edit: I discovered that for Firefox users there's a simpler way than exposing your secrets to someone's third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false

Note that this disables all DOM/JavaScript clipboard events, so sites that need custom clipboard handling (like Google Docs) won't work properly if you try to copy and paste.

What you can instead do is:

  1. Right-click the password field
  2. Click on the "console" tab in the browser dev tools
  3. Type $0.value = 'password' and press enter, with the correct password of course.
load more comments (2 replies)
[–] foo@withachanceof.com 41 points 1 year ago (2 children)

Same reason some websites still have max password lengths of 12 characters: Bad programmers that don't know what they're doing when it comes to the most basic of security concepts.

[–] deegeese@sopuli.xyz 37 points 1 year ago (1 children)

Bullshit requirements like that come from product managers.

Programmers would rather be lazy and not have to implement a limit anyway

load more comments (1 replies)
[–] Pechente@feddit.de 13 points 1 year ago (6 children)

This one always surprises me. Who the fuck is not hashing passwords? What else is wrong with this site if such basic concepts are ignored?

load more comments (6 replies)
[–] AnaGram@lemmy.ml 34 points 1 year ago (1 children)

Highly recommend this extension ::Absolute Enable Right Click & Copy:: available for both FireFox and Chrome

[–] interdimensionalmeme@lemmy.ml 25 points 1 year ago (3 children)

Wow, thank you for that, while we're at it, can we stop websites from fucking with the back history button ? Thanks !!

load more comments (3 replies)
[–] catastrophicblues@lemmy.ca 28 points 1 year ago

As always, Firefox steps up against stupid website behavior.

[–] baatliwala@lemmy.world 26 points 1 year ago (4 children)

Edit: I discovered that for Firefox users there’s a simpler way than exposing your secrets to someone’s third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.

Do NOT do this unless you absolutely know what you are doing and it will break legitimate uses of clipboard on websites. Use it one time and revert immediately.

load more comments (4 replies)
[–] protput@lemmy.world 25 points 1 year ago (5 children)

I have a hotkey that types my clipboard instead of pasting it. Just for this problem.

load more comments (5 replies)
[–] AffineConnection@lemmy.world 24 points 1 year ago* (last edited 1 year ago)

Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.

Indeed, the upsides to this outweigh the downsides. I can't even remember the last time I needed to re-enable it.

[–] HubertManne@kbin.social 23 points 1 year ago (1 children)

Thank you. Its wonderful to see someone else feesl this way. I feel there are less than there used to be like 5 or 10 years ago but man it urks me. I was really excited by the add on but honestly im not sure I want to give it that permission which stinks. Would love to disable that behavior. Its so stupid to force you to make an easy password.

load more comments (1 replies)
[–] zen@lemmy.amyjnobody.com 23 points 1 year ago (2 children)

Step 1: In FireFox, make a new bookmark with the location: javascript:(function(w){ var arr = ['contextmenu','copy','cut','paste','mousedown','mouseup','beforeunload','beforeprint']; for(var i = 0, x; x = arr[i]; i++){ if(w['on' + x])w['on' + x] = null; w.addEventListener(x, function(e){e.stopPropagation()}, true); }; for(var j = 0, f; f = w.frames[j]; j++){try{arguments.callee(f)}catch(e){}}})(window);

Step 2: Drag the bookmark to your toolbar.

Step 3: ??? ::: When a website does bullshit like not allow you to paste, not allow you to right click, etc. Click the button you made in step 2. :::

Step 4: Profit

It is your browser, your computer. You decide what code runs on it.

Bonus Step: Install something like ublock origin or noscript and stop allowing websites to run any code they like willy nilly on your PC without permission. Half of that crap just tracks you for no real benefit (to you).

load more comments (2 replies)
[–] GlassHalfHopeful@beehaw.org 18 points 1 year ago* (last edited 1 year ago)

Yes! This! I'm not familiar with DFWP, but next time I'm on my PC, I'm adding it.

[–] wrongturn@lemmy.world 17 points 1 year ago (2 children)

Ctrl+shift+L for bitwarden and I'm set. It could be bit of a pain to shift all your passwords from all sources into bitwarden but it pays back well. Same on mobile too. Indispensable tool for me

load more comments (2 replies)
[–] mycroft@lemmy.world 16 points 1 year ago

Because there are sadists in every field.

[–] salient_one@lemmy.villa-straylight.social 14 points 1 year ago (5 children)

Some intentions behind this are mentioned in this WIRED article.

Related well-intentioned albeit misguided and possibly harmful concept is annoying password expiration that is also no longer recommended.

load more comments (5 replies)
[–] SuperIce@lemmy.world 12 points 1 year ago (2 children)

Most password managers now have an option to ignore the no paste option for text fields because it became so common. I enabled that quite some time ago and haven't had issues since.

load more comments (2 replies)
[–] psychothumbs@lemmy.world 12 points 1 year ago

I don't encounter this much, but when I do I am sooooo mad

[–] inetknght@lemmy.ml 10 points 1 year ago (8 children)

KeePass has an auto-type feature. It basically presses keystrokes right into the input field.

I never have to worry about sites disabling pasting into fields because:

  • I use about:config to disable clipboard manipulation
  • I use KeePass auto-type to type passwords instead of copy-pasting them

Also, putting your password on your clipboard is Bad Practice because any application (including a javascript web page) can inspect your clipboard

load more comments (8 replies)
[–] dQw4w9WgXcQ@lemm.ee 9 points 1 year ago (2 children)

I have a Windows VDI at my workplace which I completely stopped using when I started with a password manager. The Windows login screen disables paste, and I would have to type in a ~25 character long word of entropy in letters, numbers, casing and symbols.

So I use the Linux VDI instead.

load more comments (2 replies)
[–] vamp07@lemm.ee 9 points 1 year ago

I have a Keyboard Maestro command to type out the clipboard instead of pasting it. Some developers just love exerting control over everything. I'm sure this one is done in the name of security, which is silly.

load more comments
view more: next β€Ί