Forbidding pasting provides the security of having to click "Inspect elements" before the hacker can proceed.
(Most PW manager plugins I know already ignore pasting properties, though a bank I was customer of circumvented that; the textbox was actually a DIV and they had coded the functionality of a textbox into it to prevent pasting)
Yea, I ran into a bank that did that too. Then they proceeded to ask me a half dozen "security" questions from a massive list I could choose. Most of which I didn't know the answer to.
I answered all of them (and put my answers down in my pw manager) with something like "X bank has terrible security, I hate this bank" - hoping that one day I'll have to answer those by phone haha.
I always answer the security questions with gibberish that I also save with my password manager. I now use a method like correct-horse-battery-staple to create answers, but I used to use long alphanumeric strings. I switched methods because, yes, one day I had to read the answer over the phone.
I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.
Lately, I've been making up a seemingly correct, but random response (and different each time). My favorite vegetable? Sea cucumber! I store that in my password manager.
> I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.
I can confirm that this is the case. I provided a gibberish answer to a security question for Blizzard. I didn't bother to write it down, relying on not forgetting my password.
I never forgot my password, but Blizzard shut down my account anyway because I was making payments with a card that was not listed as the account's "primary payment method". (The card I was using was listed on the account, but another card was the "primary payment method".) When I had to call support and answer my security question, the answer I'd filled in just meant that I wasn't required to provide the correct answer.
I've found it's better to give them correct answers that are entirely fake. The make of your first car is an astin Martin. Your nearest sibling lives in lunar colony 1.
This way "it's a bunch of gibberish" doesn't get past their security.
I've had the same situation before, and I don't think I've ever had to read them the entire thing. Usually we did something like this:
Rep: "Tell me the answer to this question."
Me: "Ok, let's see.....ah. So, it looks like a random string of gibberish, right?"
Rep: "Um, well...(unsure if he's allowed to say Yes or No)"
Me: "Yeah, I use a password manager for all my stuff, so all my passwords are randomly generated. I didn't think I'd ever have to read it over the phone. Sorry about that! I can read it out for you, but it might take awhile. If I read you the first three characters and the last three characters, is that sufficient to demonstrate for you that I know the Answer?
Rep: "Yes, I think that would be fine."
Me: "Alright, then! First three, 'F', 'caret', 'capital O'. Last three, 'capital G', 'lowercase l', 'dollar sign'.
---
As I said, I've never had anyone challenge me to read the full thing out. When I explain why it is that way and give them the bookends, they are usually convinced that I'm me.
I use GPW strings for this use-case. GPW has weaknesses that make them somewhat poor for use as first-line passwords, but they're still really good for passwords that you need to read to someone over the phone.
In my most recent experience with them, the company allowed to be set both the question AND the answer. So, they had to read a random string to me, and I had to read one back. It went quite well, actually.
I do the same thing, but I only use strings that are maybe four or five characters of letters only. Most of these answers are expected to be things like people and street names, so I think it's still vastly more secure without looking like the system had an internal error.
The only change I make to this process is my security questions are stored in a separate password manager to my passwords. That way if I lose access to my passwords and actually need the stupid (ahem, security) questions I can find them.
I did that at a certain corp, my security answers were all long sentences completely unrelated to the question (mostly things like "This question is useless" which made for some interesting phone conversations until they got it)
Basically if you wanted to reset your employee password, which gave you access to corp vpn etc, you could call a 24/7 support line and give them your security answers.
The problem with this is that most of the questions were not things that are inherently secure, things like "what was the name of your primary school" are easy to guess or research.
> The problem with this is that most of the questions were not things that are inherently secure, things like "what was the name of your primary school" are easy to guess or research.
They're also inherently unanswerable in many cases.
As an example, I went to two different primary schools. I don't have a favorite musician or sports team, and the answer to "where did you meet your wife" might be the school, the city, or "in class".
Last time I had to update my Apple security questions a good 80% of the questions weren't ones I felt I could answer in a way that'd be memorable a few years later.
Not to mention, these things are usually case sensitive. Sure, I can remember my childhood address, but how did I capitalize it? Did I abbreviate street? If I abbreviated street, did I add a period to make it "St." or "St"?
Fortunately, I don't notice too many services requiring security questions these days. Unfortunately, most of them are banks or other services that probably also have my SSN.
* you leave the password in the clipboard, and another website copies it (used to be a thing, I think it's patched now)
* same case, but now a coworker comes to your unattended PC and retrieves the password by pasting it somewhere
* allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops
None of this arguments is really good, but I can believe that they would be the result of a world without widespread password managers (also known as "the 90s") and tradition.
> * allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops
"Never write a password down" has always been a bad idea. A file named "passwd.txt" on my desktop still is better than using a trivial password or the same password on all sites. It still requires compromise of my machine and prevents the password from being recovered from a dump of the pw-hashes.
No, there's a reason password managers should be preferred. For example, sometimes (browser) sandbox escapes grant reading of arbitrary files. Take for example the recently discussed malware scanner the sent the browsing history, it could read such a file and transfer it back.
Modern browsers and OS kernels have extensive mitigations against this. Reliably extracting a password from a browser process's heap would be newsworthy today.
I specifically picked an example of a malware that was capable of reading arbitrary files, but not arbitrary memory because the authors found a simple way to trick users into granting them this permission set, but not another.
A sandbox escape that allows the attacker to trick the browser into sending arbitrary files back is also substantially different to having malware on your system that can read arbitrary memory.
But that's not the point. The point is they have to break past your login screen, or, failing that, pull data from your storage while it's "offline" (i.e. not booted). If it's encrypted, they can't pull data off your drive externally, and as long as they can't login you're fine. Plus all the data is stored still encrypted. It's not like it decrypts the drive when you boot, it just enables an decryption algorithm that decrypts data on the fly (AFAIK).
The data is encrypted, but as long as the encryption keys are in memory, they could be retrieved via either an attack against peripheral ports that can read memory (thunderbolt has proven vulnerable and USB too, iirc) or via a cold boot attack, possibly using freeze sprays. Such attacks against FDE have been demonstrated. A good password manager purges the keys after a bit or on lock. pass ties into the gpg ecosystem and thus allows having the keys on a smartcard, a capability I’d like to see in other PW-managers.
MacOS has the option to purge decryption keys from memory on lock, but that effectively puts the computer to sleep on lock. It’s more secure, but annoying as hell since all network connections die (VPN, ssh, ...)
If you have a fancy "USB" port which allows connexion of graphics cards (so basically a PCIe port, although it also accepts USB), chances are that you can do whatever you want with unrestricted DMA through this port. It seems that letting Windows use the IOMMU is only allowed on the Enterprise edition, which is basically unavailable for the general public. So facing determined and/or well financed actors, it is as if the Windows login do not exist anymore for tons of Windows users.
Using the clipboard at all for security related things like temporarily storing a password is a bad idea. The clipboard is a big public billboard visible to anything running on your computer.
The fact that password managers use it at all is simply because it is the only hack that works to reliably get data into password boxes. Yes, its a hack. The HTML5 spec should have exposed a mechanism to securely insert data into an element tagged for such a purpose. A one way mechanism.
> Using the clipboard at all for security related things like temporarily storing a password is a bad idea.
(Emphasis mine.)
Well. The moment you have evil code running on your box, as you, then I'll naively assume you have a bigger problem to deal with anyway.
> The clipboard is a big public billboard visible to anything running on your computer.
And everything from client work to love letters in my home folder is available to anything that runs as me, unless I've gone out of our way to secure it - and succeed.
Not saying the clipboard isn't a problem.
Not saying browsers shouldn't expose a carefully thought out API.
But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace.
> But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace.
Browser extension password managers are very much a step in the right direction. For most people, they strike the right balance between convenience and security. I guess I'm just a very paranoid developer who does not value that convenience as much as most.
A number of people dislike Wayland because applications can't watch the screen, keyboard input, clipboard etc outside of their own window. Really, that's one of its great strengths over X11.
Keepass tries to mitigate this, as well as keyloggers, by splitting autoinsertion into parts using both. An even better solution is probably one-time passwords with 2FA.
Does any password manager uses a virtual keyboard to type the passwords in? That would avoid using the clipboard, but wouldn't work with one of my banks which doesn't even have an input box. They show a keyboard on screen and you have to click on the letter to type your password.
You have to type in your password WITH YOUR MOUSE??? Wow. Sounds like a great way to make sure everyone uses the minimum allowed length for their passwords...
You only realize that the field doesn’t support pasting once and don’t attempt it ever again. If it allows pasting, the password will be in the clipboard every time you log in, which arguably could be more times than one.
No, the next time I try again and after it fails again then remember they didn't allow it and curse them for not fixing it already. Then repeat the process.
I think it's "Cargo Cult Security". My hypothesis is that someone once realized that having a password stored in the clipboard could be bad, so let's just ban pasting passwords. The logic here is obviously completely backwards, but once a meme is out there it's hard to stop it.
I believe that the argument they rely on is that if you're pasting it then you must have it written down somewhere so that you could have copied it.
It's not a completely left-field position - it's definitely wrong in a modern context - however, previous years of security advice did focus on not writing passwords down.
I have also heard that they believe the removal of the option to paste removes the ability of attackers to exercise brute force attacks against their site. This betrays a lack of understanding of multiple technologies, though.
It's just as worrying to parrot advice that hasn't made sense for years than if they'd dreamt it up themselves. Whoever is in charge of security should have updated their knowledge in at least the last decade or so.
It's my experience that at some organizations, there is effectively no learning anything new beyond the hiring date from any outside source. They may hold very general training for uselessly shallow/fad stuff like "how to be an innovator" or "what the cloud means for our business" but those are generally not substantive efforts to improve the effectiveness of employees. They often set no goals and have no consequences for anyone. They're check boxes/busy work for upper management.
Indian SBI Card does this, prevent pasting, & has set autocomplete=off to prevent browser from remembering the password. I got into Inspect Elements, removed autocomplete, & then typed in my password & then Chrome offered me to remember it. Now on subsequent logins, clicking into UserID does not trigger the saved id/pw combination dropdown from Chrome, but clicking in Password field does.
For pasting of passwords, there is no security benefit. password managers ignore it.
"They" often also disable pasting of other duplicated fields, like bank routing number, email address. So this shows why it is done (but misapplied to password). It's so you don't just copy and paste a wrong value that is hard for them to verify and leads to support calls. By forcing you to retype from scratch, the theory is you will either get it right twice or the error will be flagged.
As a naive non-security expert, I'd consider it a risk to put passwords in the clipboard - what if there's something that can read your clipboard? JS on another site for example? What if you accidentally paste it on a 3rd party site?
That's copying it though. I know a decent password manager will clear the clipboard after an X amount of time too, mitigating the risk somewhat. But that's copying, not pasting in a field.
(Most PW manager plugins I know already ignore pasting properties, though a bank I was customer of circumvented that; the textbox was actually a DIV and they had coded the functionality of a textbox into it to prevent pasting)