[nickray]

https://login.swissid.ch does this too: disallow password managers from filling out the login. Upon asking them to fix: "Autofill completion is not allowed by us for security reasons. First, if that's the case, if someone gets to your PC, we can stop a hacking attempt and that's one of many reasons. For other questions, we are at your disposal."

They also only enforce SMS as two-factor authentication.

The idea of this SwissID is to become a nation-wide identity service, yet they manage to do everything wrong. Yeah, this annoys me to no end :(

[timvdalen]

Hah, that page actually allows you to test whether or not a certain email address is signed up for the service, which seems like an even worse idea given what they're to become.

[kazagistar]

How do you actually prevent this? It seems impossible to prevent that information from leaking via timing attack.

[kodablah]

You should validate credentials all at the same time. In general, you only fail a login at the end of the process, not halfway through. Also every login failure, regardless of reason, should be accompanied by short, random server-side sleep before returning (e.g. random between a couple hundred milliseconds and a second).

[AmericanChopper]

Account enumeration is impossible to fully prevent, and as far as security vulnerabilities go, the risks associated with account enumeration are usually pretty irrelevant. It’s the sort of thing you’d see on a penetrating testing report when the testers didn’t find any actual security vulnerabilities.

[JimDabell]

I generally agree with that, but it's worth mentioning that there are exceptions where being able to tell if an individual is registered can be sensitive information (Ashley Madison, Grindr, etc.)

[AmericanChopper]

Yeah, there are some unique threat models where determining that an account exists would be a sensitive information disclosure. In those cases users would be more willing to endure the potentially heavy handed UX trade offs required to adequately prevent it.

It’s the idea that knowing that an account exists somehow represents a compromise in the accounts security posture that I generally reject.

[menacingly]

I still think that's vulnerable to timing attack. Timing attacks are the voodoo that should keep us up at night, a clever attacker can extract information that seems impossible.

[xvector]

With unlimited logins, it is indeed vulnerable to timing attacks. You could measure the mean time of a certain email against the mean time of another email. This effectively gets rid of the random delay.

Perhaps you could measure the time of the login process and adjust the random delay based on how long the process has taken. If you can get this to average to a <1ms difference between the "email exists" and "email doesn't exist" you could probably defeat any timing attacks over the network.

That, or just limit retries and have different random timeouts for every login. Now you can't try enough times to get a good estimate of the mean for each login path, and you can't use other logins to help you refine your estimate because each has different timeouts.

[thaumaturgy]

Once upon a time I thought this was a pretty serious avenue of attack and wrote login forms to always run on the server in constant time -- starting a timer at the beginning and only returning output after a fixed number of ms.

I mostly don't bother anymore, because an effective timing attack for account discovery against something that's doing everything else correctly should take so many attempts that it should wake up whatever brute force protection sites should be running now anyway.

Given the number of dumb automated brute force probes against just about anything with a login, you can't just allow an infinite number of requests from a single IP (or a handful of IPs).

[menacingly]

Oh sure, didn't mean to come across as someone who worries deeply over account discovery. I just saw an opportunity to remind folks that foiling side-channel attacks is very non-trivial and you can put forth a good effort and still be surprised at the information you're leaking.

[count]

Random sleeping isn't super effective. See: https://eprint.iacr.org/2015/1129.pdf and it's references.

[kodablah]

From what I read, they can tell differences when having the randomness in the hundredths-of-seconds (specifically said they patched to go from 10s to 10,000µs). The randomness I mention, assuming N is the maximum number of tolerable system time for successful login, should be 2N + random(2N, ~100N). Or just store a time at login start and force hit the same deadline every time (via sleep of diff from start) then add randomness on top. Of course, additional brute force detection/protection is ideal for repeated failures.

The random sleep is to prevent obtaining enough samples and provide reasonable noise at this small sample size. Given enough samples until the end of time, patterns can be obtained. This is not breaking TLS here, this is login, and seconds of sleep vs microseconds makes a difference.

[count]

Randomness inserted like that can be filtered out statistically with a decent sample set - it's a gaussian distribution, so you'll still see the saying timing differences. This is why things have to be constant time, rather than random return time.

[jedberg]

Usually you do it by giving the same response for an invalid password and a non-existent email. I wanted to see how that particular page was leaking but the site wouldn’t load for me.

[RcouF1uZ4gsC]

That won’t really help in general because you can go try to sign up with an email address. It has to tell you if the address is already taken or not.

[insomniacity]

Not quite - best practice is to continue the initial setup - ie, "we've sent you a link, please click to activate your account". Except if the email address is already in use, you email the address and let them know that. That way they only leak that info to the owner of the email address - and they can include a password reset link too.

[MattSayar]

How about for websites that give you some functionality without a verified email address? At that point, you can't let a user dink around if the address is in use.

Granted, this doesn't apply to eg banks, but there's plenty of websites where this could apply.

[0x6c6f6c]

Absolutely. It's really more relevant with services you can't directly sign up for, such as an internal service in the company where user enumeration helps you find a target when the error messages are different.

[dasil003]

Requiring a timing attack and having throttling on any such endpoints raises the bar quite a bit by itself.

As to preventing timing attacks you can add a delay to give a uniform response time.

[CiPHPerCoder]

> As to preventing timing attacks you can add a delay to give a uniform response time.

You have to be very careful with how you implement the delay to prevent the timing signal from still propagating to the attacker.

https://blog.ircmaxell.com/2014/11/its-all-about-time.html#A...

[paulddraper]

What the vulnerability?

You find out that an email address belongs to a Swiss citizen?

[jstarfish]

No, but given a list of random addresses of Swiss citizens scraped from wherever, you can validate each one by checking them against this portal. If it shows up, it's an active address.

[cstuder]

I too have a bad feeling about SwissID. Only SMS as two-factor authentication, turned off by default. No other methods planned, according to the support.

The fact that the Swiss Post requires it as login method makes me uneasy.

[dcbadacd]

Can someone explain what security does forbidding pasting provide? My brain just can't comprehend it.

Also, would a fix be a password manager that just ignores the forbidding or is it done with JS somehow?

[zaarn]

Forbidding pasting provides the security of having to click "Inspect elements" before the hacker can proceed.

(Most PW manager plugins I know already ignore pasting properties, though a bank I was customer of circumvented that; the textbox was actually a DIV and they had coded the functionality of a textbox into it to prevent pasting)

[asdkhadsj]

Yea, I ran into a bank that did that too. Then they proceeded to ask me a half dozen "security" questions from a massive list I could choose. Most of which I didn't know the answer to.

I answered all of them (and put my answers down in my pw manager) with something like "X bank has terrible security, I hate this bank" - hoping that one day I'll have to answer those by phone haha.

[tvanantwerp]

I always answer the security questions with gibberish that I also save with my password manager. I now use a method like correct-horse-battery-staple to create answers, but I used to use long alphanumeric strings. I switched methods because, yes, one day I had to read the answer over the phone.

Rep: "Tell me the answer to this question."

Me: "Ok, let me see what I set it to..."

Answer: F^O9dA66@wUPpK5$lTXBbrQ#yLP1EGl$

Me: "Oh... Oh no."

[ceejayoz]

I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.

Lately, I've been making up a seemingly correct, but random response (and different each time). My favorite vegetable? Sea cucumber! I store that in my password manager.

[thaumasiotes]

> I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.

I can confirm that this is the case. I provided a gibberish answer to a security question for Blizzard. I didn't bother to write it down, relying on not forgetting my password.

I never forgot my password, but Blizzard shut down my account anyway because I was making payments with a card that was not listed as the account's "primary payment method". (The card I was using was listed on the account, but another card was the "primary payment method".) When I had to call support and answer my security question, the answer I'd filled in just meant that I wasn't required to provide the correct answer.

[metafunctor]

I use something like this: “the secret password is tango-seven-alpha-romeo-zero-zero-victor-sierra-foxtrot-quebec".

Never had to use these for real yet, but it should be a bit harder to be seen as a “a bunch of gibberish”.

[AdmiralAsshat]

I've had the same situation before, and I don't think I've ever had to read them the entire thing. Usually we did something like this:

Rep: "Tell me the answer to this question."

Me: "Ok, let's see.....ah. So, it looks like a random string of gibberish, right?"

Rep: "Um, well...(unsure if he's allowed to say Yes or No)"

Me: "Yeah, I use a password manager for all my stuff, so all my passwords are randomly generated. I didn't think I'd ever have to read it over the phone. Sorry about that! I can read it out for you, but it might take awhile. If I read you the first three characters and the last three characters, is that sufficient to demonstrate for you that I know the Answer?

Rep: "Yes, I think that would be fine."

Me: "Alright, then! First three, 'F', 'caret', 'capital O'. Last three, 'capital G', 'lowercase l', 'dollar sign'.

---

As I said, I've never had anyone challenge me to read the full thing out. When I explain why it is that way and give them the bookends, they are usually convinced that I'm me.

[austhrow743]

Theres a security issue there in that you don't want them in "I think that would be fine" territory.

Some of those reps may have been fine with you saying "oh no. I didn't think I'd ever need that and just mashed the keyboard".

Better to use something that's still made up, but is plausibly true.

[aaronmdjones]

As is demonstrated time and time again, the weakest point in any security system is usually a human being.

[btilly]

I am reminded of https://xkcd.com/1181/.

What garbage string is there doesn't matter. Just as long as it is recognizably garbage and you know it.

[dwyerm]

I use GPW strings for this use-case. GPW has weaknesses that make them somewhat poor for use as first-line passwords, but they're still really good for passwords that you need to read to someone over the phone.

In my most recent experience with them, the company allowed to be set both the question AND the answer. So, they had to read a random string to me, and I had to read one back. It went quite well, actually.

https://multicians.org/thvv/gpw-js.html

[hfdgiutdryg]

I do the same thing, but I only use strings that are maybe four or five characters of letters only. Most of these answers are expected to be things like people and street names, so I think it's still vastly more secure without looking like the system had an internal error.

[zwayhowder]

The only change I make to this process is my security questions are stored in a separate password manager to my passwords. That way if I lose access to my passwords and actually need the stupid (ahem, security) questions I can find them.

[coastal-fiesta]

This is exactly what I do. Keep it easily human readable but it should still be nonsense that no one could social-engineer their way into getting.

[ceejayoz]

I thought I'd seen it all until I had to set my United Airlines security questions.

Not only are the questions picked from a list, but the answers are. http://www.slate.com/articles/technology/future_tense/2016/0...

[mpeg]

I did that at a certain corp, my security answers were all long sentences completely unrelated to the question (mostly things like "This question is useless" which made for some interesting phone conversations until they got it)

Basically if you wanted to reset your employee password, which gave you access to corp vpn etc, you could call a 24/7 support line and give them your security answers.

The problem with this is that most of the questions were not things that are inherently secure, things like "what was the name of your primary school" are easy to guess or research.

[ceejayoz]

> The problem with this is that most of the questions were not things that are inherently secure, things like "what was the name of your primary school" are easy to guess or research.

They're also inherently unanswerable in many cases.

As an example, I went to two different primary schools. I don't have a favorite musician or sports team, and the answer to "where did you meet your wife" might be the school, the city, or "in class".

Last time I had to update my Apple security questions a good 80% of the questions weren't ones I felt I could answer in a way that'd be memorable a few years later.

[pandler]

Not to mention, these things are usually case sensitive. Sure, I can remember my childhood address, but how did I capitalize it? Did I abbreviate street? If I abbreviated street, did I add a period to make it "St." or "St"?

Fortunately, I don't notice too many services requiring security questions these days. Unfortunately, most of them are banks or other services that probably also have my SSN.

[dstroot]

USBank?

[zaarn]

Nop a german bank, they have stopped doing it somewhere around december last year.

[probably_wrong]

A couple (bad) examples I can think of:

* you leave the password in the clipboard, and another website copies it (used to be a thing, I think it's patched now)

* same case, but now a coworker comes to your unattended PC and retrieves the password by pasting it somewhere

* allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops

None of this arguments is really good, but I can believe that they would be the result of a world without widespread password managers (also known as "the 90s") and tradition.

[Xylakant]

> * allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops

"Never write a password down" has always been a bad idea. A file named "passwd.txt" on my desktop still is better than using a trivial password or the same password on all sites. It still requires compromise of my machine and prevents the password from being recovered from a dump of the pw-hashes.

[C14L]

And if your PC has full disk encryption and you lock your PC when afk, then its pretty close to a password manager.

[Xylakant]

No, there's a reason password managers should be preferred. For example, sometimes (browser) sandbox escapes grant reading of arbitrary files. Take for example the recently discussed malware scanner the sent the browsing history, it could read such a file and transfer it back.

[UncleMeat]

If you have malware on your device you lose already. It can just read memory out of your browser process and steal your passwords.

[ChrisSD]

Windows doesn't encrypt files on lock. You can tell this because your applications keep running...

[p4rsec]

But that's not the point. The point is they have to break past your login screen, or, failing that, pull data from your storage while it's "offline" (i.e. not booted). If it's encrypted, they can't pull data off your drive externally, and as long as they can't login you're fine. Plus all the data is stored still encrypted. It's not like it decrypts the drive when you boot, it just enables an decryption algorithm that decrypts data on the fly (AFAIK).

[davidhyde]

Using the clipboard at all for security related things like temporarily storing a password is a bad idea. The clipboard is a big public billboard visible to anything running on your computer.

The fact that password managers use it at all is simply because it is the only hack that works to reliably get data into password boxes. Yes, its a hack. The HTML5 spec should have exposed a mechanism to securely insert data into an element tagged for such a purpose. A one way mechanism.

[reitanqild]

> Using the clipboard at all for security related things like temporarily storing a password is a bad idea.

(Emphasis mine.)

Well. The moment you have evil code running on your box, as you, then I'll naively assume you have a bigger problem to deal with anyway.

> The clipboard is a big public billboard visible to anything running on your computer.

And everything from client work to love letters in my home folder is available to anything that runs as me, unless I've gone out of our way to secure it - and succeed.

Not saying the clipboard isn't a problem.

Not saying browsers shouldn't expose a carefully thought out API.

But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace.

[davidhyde]

> But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace. Browser extension password managers are very much a step in the right direction. For most people, they strike the right balance between convenience and security. I guess I'm just a very paranoid developer who does not value that convenience as much as most.

[corobo]

> The clipboard is a big public billboard visible to anything running on your computer

So is your keyboard buffer. If someone's already in your computer watching your clipboard they're probably also watching anything you type too

[floatboth]

On X11 and Windows (except UWP apps probably?), yes. On Wayland, random apps can't listen to global keyboard events.

[berti]

A number of people dislike Wayland because applications can't watch the screen, keyboard input, clipboard etc outside of their own window. Really, that's one of its great strengths over X11.

[paulryanrogers]

Keepass tries to mitigate this, as well as keyloggers, by splitting autoinsertion into parts using both. An even better solution is probably one-time passwords with 2FA.

[davidhyde]

Thanks, that's good to know!

[hiccuphippo]

Does any password manager uses a virtual keyboard to type the passwords in? That would avoid using the clipboard, but wouldn't work with one of my banks which doesn't even have an input box. They show a keyboard on screen and you have to click on the letter to type your password.

[thedirt0115]

You have to type in your password WITH YOUR MOUSE??? Wow. Sounds like a great way to make sure everyone uses the minimum allowed length for their passwords...

[sb23]

One of mine has this mouse-to-type feature coupled with numbers only and max length of 6...

[taco_emoji]

Keepass can "auto-type" the password by emulating keyboard events.

[snackematician]

passmenu --type

[foo101]

> you leave the password in the clipboard, and another website copies it (used to be a thing, I think it's patched now)

Even if it were not patched, how a site disabling "paste from clipboard" remove my password that I have already copied to clipboard.

Note that I would copy the password first and then I would realise that the site is not allowing me to paste it.

[guntars]

You only realize that the field doesn’t support pasting once and don’t attempt it ever again. If it allows pasting, the password will be in the clipboard every time you log in, which arguably could be more times than one.

[hiccuphippo]

No, the next time I try again and after it fails again then remember they didn't allow it and curse them for not fixing it already. Then repeat the process.

[thecatspaw]

if the issue is that it stays in the clipboard the site could just remove it once pasted or when sending the form

[foo101]

I am not familiar with JavaScript. Could someone share some sample JavaScript code that shows how it allows the browser to modify my system clipboard?

[zmw]

Check out clipboard.js.

[pwenzel]

1Password clears your clipboard after a short period of time, and you can customize it. Is this not a standard feature of all password managers?

[C14L]

So does pass and KeePassX.

[FabHK]

And pwSafe (based on some of Bruce Schneier's work), FWIW.

[cuspycode]

I think it's "Cargo Cult Security". My hypothesis is that someone once realized that having a password stored in the clipboard could be bad, so let's just ban pasting passwords. The logic here is obviously completely backwards, but once a meme is out there it's hard to stop it.

[herghost]

I believe that the argument they rely on is that if you're pasting it then you must have it written down somewhere so that you could have copied it.

It's not a completely left-field position - it's definitely wrong in a modern context - however, previous years of security advice did focus on not writing passwords down.

I have also heard that they believe the removal of the option to paste removes the ability of attackers to exercise brute force attacks against their site. This betrays a lack of understanding of multiple technologies, though.

[andybak]

It's just as worrying to parrot advice that hasn't made sense for years than if they'd dreamt it up themselves. Whoever is in charge of security should have updated their knowledge in at least the last decade or so.

[smolder]

It's my experience that at some organizations, there is effectively no learning anything new beyond the hiring date from any outside source. They may hold very general training for uselessly shallow/fad stuff like "how to be an innovator" or "what the cloud means for our business" but those are generally not substantive efforts to improve the effectiveness of employees. They often set no goals and have no consequences for anyone. They're check boxes/busy work for upper management.

[davchana]

Indian SBI Card does this, prevent pasting, & has set autocomplete=off to prevent browser from remembering the password. I got into Inspect Elements, removed autocomplete, & then typed in my password & then Chrome offered me to remember it. Now on subsequent logins, clicking into UserID does not trigger the saved id/pw combination dropdown from Chrome, but clicking in Password field does.

[jiveturkey]

For pasting of passwords, there is no security benefit. password managers ignore it.

"They" often also disable pasting of other duplicated fields, like bank routing number, email address. So this shows why it is done (but misapplied to password). It's so you don't just copy and paste a wrong value that is hard for them to verify and leads to support calls. By forcing you to retype from scratch, the theory is you will either get it right twice or the error will be flagged.

[megaremote]

This is so silly, I am more likely to get it wrong if I type it in than paste it in.

[jiveturkey]

but you aren't likely to type the same, matching error twice.

[Cthulhu_]

As a naive non-security expert, I'd consider it a risk to put passwords in the clipboard - what if there's something that can read your clipboard? JS on another site for example? What if you accidentally paste it on a 3rd party site?

That's copying it though. I know a decent password manager will clear the clipboard after an X amount of time too, mitigating the risk somewhat. But that's copying, not pasting in a field.

[foo101]

How does a site disabling "paste from clipboard" protect my password that I have already copied to clipboard?

Note that I would copy the password first and then I would realise that the site is not allowing me to paste it.

[virtualized]

If a browser allows websites to read the clipboard, that's a security bug in that browser.

[shawn]

There is no security benefit to forbidding pasting. https://www.troyhunt.com/the-cobra-effect-that-is-disabling/

Why do people do it? The same reason people believe /dev/random provides security benefits.

It's important to ignore the correct things. (But it's often hard to figure out what to ignore.)

[theandrewbailey]

Of course, because everyone should be using /dev/urandom instead. \s

[Aeolun]

Whenever I see messages of this kind, there is some doubt light that turns on in my head. Wondering if it’s possible I missed something, but I always have to conclude that, no, there isn’t anything wrong with my thought process.

They really are just that clueless...

[auslander]

Safari does it best. I does not fills the box, until you click on it, then it gives you the choosing list to click an entry.

That prevents the page's JavaScript code to read autofills before user action.

Regarding can you trust Troy, check this out https://news.ycombinator.com/item?id=17398821

[sschueller]

Me too as we already had an attempt called suisse ID (10 years ago now?) and mobile ID. Both which cost money limiting adaption greatly.

Personaly I like mobile Id which makes logging into PostFinance or swisscom easy but not all phone providers are able to offer it.

Sucks that for post and sbb I need yet another system, Swiss id....

[ThePadawan]

Notably, SwissPass did not allow me to set a randomly generated, very long (>20 character) password.

It also didn't notify me that it didn't allow such passwords, it just went right ahead and created an account it was impossible to log in to.

Thankfully, I was able to reset the password to one which is far unsafer.

Well done everyone.

[davchana]

India Government's official Website for managing public retirement fund, NPS, eNPS does this. Password need to be changed every 90 days, of max 14 characters length, but no where documented. On password change page, it will silently accept your any 14+ length password & will truncate it to 14. Then you try to login with your actual password, it gives error, Wrong Password.

[FabHK]

That's just stunningly bad (both the 90 days reset, and the silent (!) truncation to 14 characters...)

[mikestew]

In the U. S., Washington state's initial rollout of their ACA site did that. Gave it a big, long >20 char password, it created the account, go to log in and...

How did I figure out what was going on? They would happily email your password in plain text. </facepalm>

[r3bl]

The first thing I would try in that situation is to input the first 16 characters of that randomly generated password.

I've stumbled upon login fields that just dismissed everything after the 16th character a few times.