Prohibiting Pasting of Passwords

We have been told over and over and over again to use strong passwords. If you can remember your password then it is too weak. Because of this, many people use password vaults or password managers to store their super strong impossible to remember passwords. When they need to log into the site, they simply paste the password from their vault or use their password manager to fill-in the password field. Seems like a good security practice as the users have a very strong password…apparently not. Some sites are no longer allowing you to paste in your password (some may or may not allow your password manager software/extension to work) via JavaScript in which the onpaste event, a non-standard event defined by Microsoft for use in Internet Explorer (which also works in Firefox, Chrome, Safari, etc) is returning false. This “false” is treated the same as the user not putting in a password at all.

Some sites such as British Gas claim the reason they have disabled pasting in passwords is they would loose their security certificate as it exposes them to brute force (hacking) attacks. GE Capital just says “for security reasons”.

Well apparently someone didn’t think this through very well. If people are not going to be allowed to paste in their super secure passwords…guess what is going to happen? They will use a (less secure) password they can remember, which kinda defeats the claim “for security reasons”. Some claim that Malware could be installed by hackers that could intercept the Windows clipboard thus allowing hackers to gain your password in that manner. However, it is much easier for a hacker to put keystroke tracking Malware on someone’s system. Which is why people opt to paste their password or use a password manager.

So now these companies that think they are doing their users a favor by forcing them to type in their password (given the assumption that pasting isn’t secure) are actually making their users less secure…Brilliant!

Source: The “Cobra Effect” via grand stream dreams.