Hacker News new | ask | show | jobs
by neotek 2537 days ago
My old bank used to "encrypt" your password as you typed it into the input field, on keydown it would take the character you typed and — and I'm not making this up — ROT13 it. This had the effect of making it impossible to paste anything into the input field since the script would capture your ctrl+v and replace it with the letter "i".

The icing on the cake is that when I called to complain about it, the support agent insisted in very sombre tones that it was a measure to stop keyloggers. I don't use that bank any more.
3 comments
gruez 2537 days ago
>since the script would capture your ctrl+v and replace it with the letter "i".

not an issue on firefox because you can toggle the dom.event.clipboardevents.enabled to false, and sites won't be able to hijack your pastes.

link
neotek 2537 days ago
The only problem with that is that the stupid ROT13 step wouldn't be performed so the site would reject your login attempt anyway. It was one of the dumbest design decisions I've ever seen, honestly.
link
Zancarius 2537 days ago
I'm guessing the solution would've then been to 1) disable the update event and 2) paste the ROT13'd password, either into the browser or into the input field value via the inspector.

Like you, whenever I run into sites that do weird things like that, I always find it hard to shake a bit of suspicion about how their backend is implemented (or not, depending on the case). For instance, when they start rejecting characters like "%" or "'" which have special meaning in SQL. I can't help but wonder if they're storing things in plain text.

I've run into at least two vendors I can think off the top of my head that limit what characters you can use for a password. That always makes me uneasy, and I don't buy anything from them on principle. Who knows what else they're doing that's not immediately obvious.

link
adjkant 2537 days ago
My guess is if you did that and pasted "password" you would get "passworq" and then your password would be wrong according to their "encryption" method.
link
mNovak 2537 days ago
This reminds me of the time I was trying to explain to the Verizon store rep why I was concerned that my SIM suddenly went offline, and they told me "Oh hun, nobody steals a phone number!"
link
shalmanese 2537 days ago
Wouldn’t the solution be to just ctrl + i your password?
link