No paste for you... but drag is OK




  • So, I was reading this article:

    http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html

    It's about some sites disabling paste in the password fields using different stuff but generally, the "onpaste=return false;" trick.

    Although that's already a stupid thing to do and already explained in the article, I want to bring into attention that even if pasting doesn't work, dragging does.

    Go ahead, paste your password somewhere and drag it. Test it here:

    http://jsfiddle.net/hWw2J/



  •  It's batshit level stupidity. It's almost as if these decisions are being taken by people that don't know a thing about security.



  • @TGV said:

     It's batshit level stupidity. It's almost as if these decisions are being taken by people that don't know a thing about security.

    The Web is full of stupidity like that. For example, every time I type my CC number, I get "enter only digits, spaces are not allowed" even though:

    1. My CC clearly has spaces between groups of 4 digits
    2. The code that checks for spaces could just as well remove them silently
    3. The absence of spaces makes it harder to type and check for errors
    Every time I'm annoyed that computers, which could make my life easier, are instead used to make it harder.


  • @ubersoldat said:


    So, I was reading this article:

    http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html

    It's about some sites disabling paste in the password fields using different stuff but generally, the "onpaste=return false;" trick.

    Although that's already a stupid thing to do and already explained in the article, I want to bring into attention that even if pasting doesn't work, dragging does.

    Go ahead, paste your password somewhere and drag it. Test it here:

    http://jsfiddle.net/hWw2J/

    While the explanations range from stupid to insane, it's a fairly decent behavioral training practice. If you need to type in your password every time, you're gonna eventually learn it by heart instead of just leaving it with 30 others in a "passwords.txt" file on your desktop.



  • @Maciejasjmj said:

    it's a fairly decent behavioral training practice. If you need to type in your password every time, you're gonna eventually learn it by heart instead of just leaving it with 30 others in a "passwords.txt" file on your desktop.

    Oh, so you're saying we should train people to do it wrong?

    The kind of person who is pasting stuff in from passwords.txt is exactly the kind of person who has realized that using "Tigers99" for everything is a dumb idea, is organized enough to have invented a more secure alternative, and will only take the tiniest of hints to start using a proper password manager instead. I have never met a person who maintains a passwords.txt - actually more usually a passwords.docx, because most people don't know where Notepad is or what it's for - who hasn't jumped on KeePass with little squeals of delight as soon as its existence is pointed out to them.

    For what it's worth, KeePass's inbuilt auto-typer is usually unaffected by this no-paste idiocy unless you try to increase your keylogger resistance by turning on the feature that obfuscates password entry using a random mixture of partial pastes and simulated edit keypresses.

    And it is just idiocy. No surprise to me that the masters of bullshit security theatre do it as well.



  •  What's so bad with a password.txt? It's enough to protect you from the problem of website breaches, and if your computer is compromised to the level that a txt file is not safe, you have probably a lot of other problems, too.

    I can also offer OneNote as an alternative, it even offers password protected sheets.



  • @derari said:

     What's so bad with a password.txt? It's enough to protect you from the problem of website breaches, and if your computer is compromised to the level that a txt file is not safe, you have probably a lot of other problems, too.

    I carry around a copy of my keepass database on my keyring, along with the portable version of keepass. It's a lot more likely for me to lose my keys than for someone to get access to my machine.



  • @flabdablet said:

    For what it's worth, KeePass's inbuilt auto-typer is usually unaffected by this no-paste idiocy unless you try to increase your keylogger resistance by turning on the feature that obfuscates password entry using a random mixture of partial pastes and simulated edit keypresses.

    Unfortunately, sites that forbid pasting in password are the same that title their page "login", which mean keepass autotype does not work. While keepass can copy password to clipboard upon request for a few seconds, it does not allow you to drag and drop password :(



  • @tchize said:

    Unfortunately, sites that forbid pasting in password are the same that title their page "login", which mean keepass autotype does not work.
    I've never relied on the KeePass global hotkey and page title lookup thing, which always struck me as having way too many potential failure modes. The KeePass workflow that's in my muscle memory doesn't rely on page title matching, only on the browser window being second from the front; it works just fine.



  • I use your method, but I think matching on page title is probably safer. I have at least once answered an IM in between going to the website and pasting in KeePass, with the result being tab-delimited user name and password being sent straight to the person I'm messaging.



  • Yeah, I've occasionally sent a password to the wrong window as well. No biggie; since I was about to log onto the site it was intended for anyway, changing the password while I'm there is very little extra work and pays for itself with a happy little inner glow of security best practice.


  • Discourse touched me in a no-no place

    @flabdablet said:

    For what it's worth, KeePass's inbuilt auto-typer is usually unaffected by this no-paste idiocy unless you try to increase your keylogger resistance by turning on the feature that obfuscates password entry using a random mixture of partial pastes and simulated edit keypresses.
    How does KeePass cope with sites that insist on having the username and password entered on different pages? (I only deal with one such site — once a month, so yes, it's fairly obvious what I might be doing — but it's really irritating.)



  • @dkf said:

    How does KeePass cope with sites that insist on having the username and password entered on different pages?
    My bank does that, with pseudo-two-factor junk for good measure. You can set up custom auto-type strings for each page to type only the relevant bit. Or, if the site isn't so stupid as to disable pasting, you can do that, but of course then we wouldn't be discussing it in this thread.



  • @dkf said:

    How does KeePass cope with sites that insist on having the username and password entered on different pages?

    Pretty well, as long as you can start the login process by putting keyboard focus in a username box and get all the way through it from the keyboard, because you can set up custom auto-type strings per KeePass site entry. If you don't set an explicit auto-type string, KeePass defaults to using {USERNAME}{TAB}{PASSWORD}{ENTER} which works for 99% of sites.



  • @tchize said:

    While keepass can copy password to clipboard upon request for a few seconds, it does not allow you to drag and drop password
    Yes, it does.



  • @Sir Twist said:

    @tchize said:
    While keepass can copy password to clipboard upon request for a few seconds, it does not allow you to drag and drop password
    Yes, it does.

    Doesn't work on all web sites though, so there must be some braindead JS way to block that too.

    The password antipattern I find infuriating beyond all reason is where a site will allow you to paste into a New Password box but won't allow it for the Confirm New Password box. Makes me wish I could reach through the innarwebchoobs and strangle people.

    But the award for Absolutely Most Stupidest Hack Evar goes to Yahoo, whose password change box validator insists that a pasted password is too short until you append and erase an additional character after pasting.



  • @flabdablet said:

    But the award for Absolutely Most Stupidest Hack Evar goes to Yahoo, whose password change box validator insists that a pasted password is too short until you append and erase an additional character after pasting.


    Actually, that one makes sense. Pasting text happens after the keydown/keypress/keyup events for ctrl+v, so the box assumes that you typed a 0 character password because it can't see the text until after the event is done.



  • Being able to understand exactly why their stupid lazy hack doesn't work doesn't make it any less stupid.


  • BINNED

    @Ben L. said:

    Actually, that one makes sense. Pasting text happens after the keydown/keypress/keyup events for ctrl+v, so the box assumes that you typed a 0 character password because it can't see the text until after the event is done.
     

     http://www.w3schools.com/jsref/event_onchange.asp



  • @Maciejasjmj said:

    While the explanations range from stupid to insane, it's a fairly decent behavioral training practice. If you need to type in your password every time, you're gonna eventually learn it by heart instead of just leaving it with 30 others in a "passwords.txt" file on your desktop.
    As someone who has a 'passwords.txt' file, all I can say is Bullshit.

    People are constantly told to use complex passwords that can't be easily guessed and don't the same password for multiple places.  OK fine, I completely agree with that.  Since all browsers have a built-in password manager, it's very easy to have a complex, unique password for each site you need to login to.  You enter the password once and  your browser saves it for you.  Oh wait, no it doesn't, because many idiotic websites, in the name of "security" implement code that prevents your browser from automatically saving the password.  And so, your choices are:

    (a) Memorize 40 different passwords

    (b) Use the same password everywhere

    (c) Maintain a list of passwords.



  • Just out of interest, do you prefer a simple passwords.txt to something like KeePass that's built specifically for the job? If so, why?



  • @flabdablet said:

    The password antipattern I find infuriating beyond all reason is where a site will allow you to paste into a New Password box but won't allow it for the Confirm New Password box. Makes me wish I could reach through the innarwebchoobs and strangle people.

    That one's correct though. What if your regular password (saved in password.txt) is a 30 character string of nonsense. You copy it but miss out the last character by mistake. You paste into New Password AND Confirm new password boxes... which match and allow it... and now you are locked out and don't know why, the next time you try to access it with your 30 character, copy pasted string.

    Allowing users to copy paste the same thing into both completely defeats the purpose of the "Confirm New Password" box?



  • @flabdablet said:

    Just out of interest, do you prefer a simple passwords.txt to something like KeePass that's built specifically for the job? If so, why?
    Simplicity. 

    I have nothing against KeePass. It may be a wonderful program. But it's a program and brings with it all the problems or potential problems you get with any program. The KeePass website has a FAQ whcih lists a number of issues people may have. Nothing unusual there --  all programs have their issues. However, a text file never has installation problems, never crashes or causes a conflict with other programs. That just seems like a simpler more straight forward approach. Sometimes complicated is necessary. Sometimes simpler is better.

    The bigger issue, in my opinion, is why something like KeePass needs to exist in the first place. This is something that should be built into web browsers instead of needing an external program. The password managers of all web browsers are quite terrible and given the increased importance of security these days, that makes no sense.



  • @El_Heffe said:

    he bigger issue, in my opinion, is why something like KeePass needs to exist in the first place. This is something that should be built into web browsers instead of needing an external program. The password managers of all web browsers are quite terrible and given the increased importance of security these days, that makes no sense.

    If you only ever use that one web browser on that one machine and only ever use those passwords on the web, then that might make sense. I have other credentials stored in Keepass that aren't used on the web. And I can use my web passwords in other browsers on other machines relatively easily.



  • @El_Heffe said:

    a text file never has installation problems, never crashes or causes a conflict with other programs.

    Fair point. On the other hand, I use the portable version of KeePass which is a single Windows executable and doesn't need installation; I keep it in the same folder (on Dropbox and on my keyring μSD card) as the password database itself, so if I have my passwords file I also have the executable that opens it on most machines I encounter that aren't mine. On my own machines (all Debian boxes) I have KeePassX installed as a matter of course. I don't have a "smart" phone but if I did I'd have MiniKeePass or KeePassDroid installed on that too.

    For me, the slight inconvenience of occasionally needing to install KeePass or one of its derivatives on some machine is slight enough not to matter. None of them have ever crashed on me (I use the 1.x series, which doesn't rely on .Net or Mono) and I've never experienced any kind of conflict with another app; KeePass Just Works. And it's nice having something portable and completely browser-independent that not only remembers credentials, but remembers site bookmarks as well and has a good solid random password generator inbuilt and heavily encrypts the db so I don't need to worry about accidentally leaving copies of it lying about.

    If your objections to KeePass are theoretical rather than grounded in actual frustrating experience, do give it a whirl. It's really very good at what it does.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.