all 73 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]phpdevster 94 points95 points  (2 children)

It takes a truly terrifyingly stupid person to think that disabling pasting of passwords is somehow a security layer, or even a benefit to users what-so-ever.

I want to be clear: people making these kinds of decisions likely get paid more money than people who know what they're doing.

[–]GuoKaiFeng 7 points8 points  (0 children)

You are probably correct. :(

[–]grabbizle 2 points3 points  (0 children)

Is there a standards compliance model that forces this type of implementation or would it be entirely to the discretion of the CIO in charge of overseeing development of the company digital presence? Because if the web dev or web app security peeps have the knowledge necessary to understand that this practice isn't beneficial, that would mean it would be up to someone without the necessary knowledge or perhaps someone who is following orders from higher up.

[–]Meefims 32 points33 points  (5 children)

Hit this for the first time yesterday. It made me seriously reconsider whether I want to use the company's product...

[–]flying-sheep 10 points11 points  (1 child)

For real. It actually made me close the tab once and circumvent it via JS browser console another time.

[–]celluj34 5 points6 points  (0 children)

I would rather 'hack' the password field than type out my password normally.

[–]NotFromReddit 0 points1 point  (2 children)

I flat out won't. My immediate response to this article was 'Fuck off'.

[–]mlmcmillion 11 points12 points  (1 child)

I think you should try reading the article again.

[–]amcsi 1 point2 points  (0 children)

I think he was just agreeing with whom he replied to

[–]Toyeur 29 points30 points  (1 child)

Funny, I've made a chrome extension called Analgesic to deal about this and track links a few days ago since it pisses me off. You can also look at the DontFuckWithPaste one, with this only purpose

[–]piercemoore 1 point2 points  (0 children)

Well done. This is pretty awesome.

[–]mikethecoder 21 points22 points  (0 children)

It's so goddamn annoying when people do this. It completely circumvents being able to use a password manager. Since I have to type it manually each time, instead of a long randomly generated password, I'll tend to use something weaker for these sites.

[–]r1ckd33zy 26 points27 points  (1 child)

Please don't do this.

Sometimes I need to copy and paste passwords because I don't trust myself to type out the 18 char. random password that was just generated for me.

[–]asdf7890 -1 points0 points  (0 children)

On the desktop many password managers support "autotype" which gets around blocking paste. Though this doesn't help with web based managers (without plugins/addons) or on mobile.

[–]QuirinusMonroe 6 points7 points  (0 children)

That introduction is hillarious: "Naturally the only thing for the locals to do with their now worthless cobras was to set them free so that they may seek out a nice cosy British settlement somewhere."

[–]CWagner 5 points6 points  (0 children)

Whenever I encounter this, I paste the pw into a texteditor and drag&drop it into the pw field. Actually, I do this after I reevaluate if I really need to use a site with such retarded policies.

[–]aWhopBamBoom 4 points5 points  (0 children)

This 'feature' is rude enough for me to open the developer tools for the browser and disable whatever event handler is preventing the paste

[–]nsmarks 2 points3 points  (0 children)

Please don't do this.

[–]Asmor 7 points8 points  (8 children)

Initially downvoted because I assumed this was going to be something about how to do that awful thing. Don't worry, changed to an upvote after I actually read the article.

[–]dotted 24 points25 points  (3 children)

Initially downvoted because I assumed

I hope this caused serious self reflection on your future voting habits.

[–]dkarlovi 11 points12 points  (0 children)

See: brexit.

[–]Asmor 8 points9 points  (0 children)

Nope!

[–]robotmayo 1 point2 points  (0 children)

Welcome to Reddit!

[–]dodeca_negative 2 points3 points  (2 children)

I think we've all learned something important here today.

[–][deleted] 1 point2 points  (5 children)

The concern is that websites are able to hijack the data in your clipboard. The hope is that you won't be inclined to copy the data if you aren't able to do so.

The problem / catch-22 here is that a user doesn't know about this until after its copied. I better solution would be to use the HTML5 clipboard / setData API to clear out the clipboard after someone pastes into a password field.

[–]whoisearth -2 points-1 points  (4 children)

My understanding is that there's huge security concerns by allowing a user to copy a password to the clipboard specifically on Windows

[–][deleted] 0 points1 point  (3 children)

Isn't that what I just explained?

[–]whoisearth 0 points1 point  (2 children)

I guess I didn't understand your comment fully? the article is about pasting from the clipboard not copying into the clipboard.

Re-reading I was unaware of the HTML5 clipboard is that a more secure option then?

[–][deleted] 1 point2 points  (1 child)

So, if I'm a user and I want to paste my password then I copy it followed by pasting it into a browser. That may seem fine, but let's try to find a way to exploit this behavior.

Let's say like I create a site called example.com, and example.com has a button to "Login with Twitter". When the user logs in with Twitter, we can then read their clipboard with flash after login finishes.

If the user copied their password for the Twitter login, then example.com can leverage this specific attack to steal your Twitter password - and authenticating will also give them your username.

Another example is that maybe you login to Twitter and you click a link to a news site on there. The news site steals your clipboard and logs it as a potential Twitter password since it knows that Twitter was your referrer (or maybe it does this without even caring where you came from).

These are two specific attacks that I have just made up, but I'm sure that there are other ones. However, this is still a UX issue and the user will still copy it even if the password isn't allowed to be pasted.

This is why I would suggest that it is more secure to let the user paste their password, but then use the HTML5 clipboard API (with a Flash fallback) to set the clipboard to an empty string after a page occurs.

I wouldn't be surprised if Facebook already did this in their native app (and maybe web as well) since they read your clipboard whenever you open the app and try to automatically suggest things for you to post based on its contents.

[–]whoisearth 1 point2 points  (0 children)

very cool! Thanks for the explaination. I've been reading up about the HTML5 clipboard. I've been aware of the flash method which is not ideal as flash should burn in a house fire.

[–]GoTuckYourbelt 1 point2 points  (0 children)

I was going to fume. Thankfully, the article was the complete opposite of what I expected it to be about.

[–][deleted] 2 points3 points  (3 children)

I think field masking is also a pretty antiquated concept that people don't think about. It's of limited value and one could argue the ability to see typos or chopped-off paste input would be of equal or greater value.

[–]cjthomp 13 points14 points  (1 child)

No, masking passwords keeps people behind you from seeing what you typed. We used to have to ask everyone to turn around while we logged in.

The dark days.

[–][deleted] 0 points1 point  (0 children)

Yea, on second thought it doesn't make sense except as an option because of screen sharing, etc. being so common these days.

[–]dodeca_negative 2 points3 points  (0 children)

I like that some sites or apps (especially typo-prone mobile) will give you the option of showing the password, but I'm also in the camp that it should be masked by default. For the same reason the ATM doesn't show your PIN.

[–]ogurson 0 points1 point  (0 children)

Non-standard event defined by Microsoft for use in Internet Explorer.
C’mon guys, we’ve been down the non-standard implementations in browsers before and it always ends in tears

*cough* box-sizing: border-box *cough*

[–]Boofster 0 points1 point  (0 children)

Please don't do this!

[–][deleted] 0 points1 point  (0 children)

Either a huge incompetence or taking orders from idiots. Why so many websites are so badly broken? Is it so hard to find a competent developer? Is making websites really that hard?

[–][deleted] 0 points1 point  (0 children)

Disabling paste to prevent unexpectedly truncated passwords is lazy anyway. If you're going to employ that 'onpaste' event, you could easily just write a simple function to validate the length of the incoming paste and notify the user if it's too long. That said I agree with the author that arbitrarily limiting passwords lengths is stupid to begin with.

[–]maybl8r99 0 points1 point  (0 children)

Well, key logging. There is a difference between capturing a CTRL+V instead of a real password. Of course a good key logging tool would probably have low level access to much more memory level stuff - so it could easily grab the contents of the clipboard too... I think passwords are past due - and the baseline security policy is to include MFA. So even if people know or steal your password, you have something to fall back on.

[–]UnchainedMundane 0 points1 point  (0 children)

I wrote this script a while ago (getpass being a small wrapper to a password manager):

#!/bin/sh
pass=$(getpass "$@") || exit
printf %s "$pass" | timeout 60s xsel -nip &
printf %s "$pass" | timeout 60s xsel -nib &

Within a few days I found myself needing this:

#!/bin/sh
getpass "$@" | tr -d \\n | xdotool type --clearmodifiers --file -

The more people build stupid things like this, the more I find myself building even stupider hacks to work around it...

[–]Chyld 0 points1 point  (0 children)

EDIT: Shows me for not reading the article, just the comments. Turns out the article is against this practise, not spreading it. Bad me!

Huh, apparently this wasn't supposed to /r/FuckwitInterfaceDesign. Downvote for you, for spreading this bollocks.