Mastodawn

Ray Jan 3, 2023

Lauren Weinstein

One of the website UI modalities that I just *despise* are sites that block copy/paste (either via mouse clicks and sometimes also keyboard shortcuts) for filling important fields, out of some sort of misguided belief that this somehow enhances security. Actually it easily makes it worse in most cases. This is similar to sites that have crazy password rules (that they often can't even implement properly) that also tend to make security worse, not better. E.g., "Your password must contain between 10 and 22 characters, include no less than 3 characters between G and Q, at least two special characters, and a lowercase m and p. Thank you."

Thad Jan 3, 2023

@lauren My local gas utility, Southwest Gas, blocks copy-paste on the password field. I sent them several e-mails telling them why this is a terrible idea but never got a response.

Chrome has an extension called Don't Fuck With Paste, and in Firefox you can go to about:config and set dom.event.clipboardevents.enabled to false. It's not ideal but I suppose if you're technical enough to be using a password locker you're probably technical enough to toggle settings in about:config.

leah's tiny pc retirement home Jan 3, 2023

@Thad @lauren you have to know they exist first, though. config sections in general, and about:config in particular, seem to be appallingly documented

Kevin P. Fleming Jan 3, 2023

@lauren There are sites which require the user to enter their six digit TOTP code in individual digit fields, making it impossible to paste.

Lauren Weinstein Jan 3, 2023

@kevin I know of at least one site where the digits are in separate fields but you *can* still paste the full number in and they all fill appropriately.

dave Jan 3, 2023

@lauren @kevin Meanwhile, I've worked with one that does this, but pastes the entire code into the first box, which also works but makes me question which drugs their QA department is on.

Summit Jan 3, 2023

@lauren 100% agree, I have run into countless websites that prevent you from pasting in a bank routing/account number. As someone who has trouble reading numbers, it is immensely frustrating from a usability standpoint.
Like I put it in the password safe and triple checked it was right when I entered it, please let me just paste it in so I know it’s correct.

Cassandrich Jan 3, 2023

@coyodog @lauren Folks affected by this should file ADA complaints or equivalent in their jurisdiction. It's absolutely an accessibility violation.

Drew Kadel Jan 3, 2023

@lauren So the most common password will be: "HIJKLmNOp!@#"😂

Lauren Weinstein Jan 3, 2023

@DrewKadel Looks right.

Mark Gardner Jan 3, 2023

@lauren @lapcatsoftware’s StopTheMadness (#macOS, #iOS, #iPadOS, cross-browser on the former) can help with the copy/paste blocking and a bunch of other things some sites try to lock you out of. https://underpassapp.com/StopTheMadness/

StopTheMadness browser extension

StopTheMadness is a web browser extension that stops web sites from making your browser harder to use.

Lauren Weinstein Jan 3, 2023

@mjgardner @lapcatsoftware Again, my concern really isn't with people like you or me, but for nontechnical users who use these sites with the usual browsers and without extra extensions.

Mark Gardner Jan 3, 2023

@lauren @lapcatsoftware I agree. It was a mistake to make it possible for browser apps to break the browser.

Marc, Antifa Surgeon General Jan 3, 2023

@lauren Ugh. And then there are the retailers that all use the same account system where the only way to change your password is to tell them that you've "forgotten" your old one. I'm trying to change all of my passwords after switching password management services, and between the hoops they put up for initiating a reset and all of the arbitrary character rules, it is just a mess.

Tracy Hall Jan 3, 2023

I can never get these kind of developers to understand that *rules* for passwords *reduce* the possible valid passwords and *reduce* security.

I'm all for *feedback* on the "entropy" of a chosen password - but **rules cannot increase entropy**

Darthdzl Jan 3, 2023

@lauren "Your password must contain a prime number of characters between 3 and 29, inclusive, with an equal number of uppercase characters, lowercase characters, and numbers, plus at least one symbol. All symbols used must be ones not on a standard keyboard. Numbers must be odd in the first half of the password and even in the second half, unless created on a Thursday, in which case... " (etc.) 😁

throAU Jan 3, 2023

@darthdzl @lauren the sum of the ascii key odes must be prime

Darthdzl Jan 3, 2023

@throAU @lauren And the letters must be one or more anagrams of filthy words in a language not native to the user.

Diefledermaus82 Jan 3, 2023

@lauren 💯 Agree. Poor UX? Perhaps. Creating a poor CX for entire cohorts, yup! Obligatory XKCD: https://imgs.xkcd.com/comics/the_important_field.png and https://preshing.com/20110811/xkcd-password-generator/

Joly MacFie Jan 3, 2023

@lauren By coincidence, I just edited a video on just this topic ‘Adversarial usability’.

https://mastodon.nycmesh.net/@joly/109619865324305302

Joly MacFie (@[email protected])

Fresh edit of #NDSS2022 USEC Workshop keynote 'Adversarial Usability' by @[email protected] inc "The Elephant in the Room" Dark Patterns. Kicks off with a history of passwords. https://www.youtube.com/watch?v=3IFbbYwq3j4&list=PLfUWWM-POgQvj0aPaGpWbV9Fb2iLN4zIp&index=2 #cybersecurity #passwords #ux

NYC Mesh

Hans Cathcart Jan 3, 2023

@lauren Not to mention hyperlinks that are Void().

Command Line Magic Jan 3, 2023

@lauren Ticketmaster's website used to have a password rule of "Must be between 1 and 250 characters"

ahistorical immaterialist Jan 3, 2023

@lauren when sites have a *maximum* password length I can't do anything but assume that's because they're storing them in plaintext in a fixed-length database field rather than hashing them.

sʌǝu ᴧɐɹʞǝʃ 🤘🇪🇪🤘Jan 3, 2023

@lauren @jimbob *some* limit on max length still makes sense. I mean - nobody wants a 2GB file dumped as a password and the hashed on serverside. I'm OK with max length limit between 64 and 1024 characters.

varx/social Jan 3, 2023

@jimbob @lauren I've encountered a site that forbade long passwords because they were tired of doing account recovery for people who had forgotten their extremely long passwords.

However, their notion of "extremely long" was like 16 characters, which doesn't allow the sparser but more memorable passphrases like "relish-leaflet-clue-respondent".

I no longer use that service.

jack the nonabrasive Jan 3, 2023

@lauren The odd thing is that most of them are so incompetent they don’t block the OS’s context menu

Lauren Weinstein Jan 3, 2023

@karabaic Many of them do block it.

Anthony DiPierro Jan 3, 2023

@lauren CorrectHorseBattGQmp??

Richard Bairwell Jan 3, 2023

@lauren The last part sounds like you encountered an implementation of https://passwordpurgatory.com/

Password Purgatory - Making Life Hell for Spammers

Tips for Overcomers Jan 3, 2023

@lauren
How about sites that make you enter your email address twice, and then *do* let you copy and paste it in.

Duh!

DVHenkelWallace Jan 3, 2023

@lauren if you are on a Mac you may like “stop the madness” that thwarts much of this user-hostile rubbish.

aefitzhugh Jan 3, 2023

@lauren If you buy US bonds through TreasuryDirect, you are not even allowed to type your password with your keyboard -- they make you click they keys of an on-screen keyboard. To defeat key loggers I guess. And then they tell you don't worry about capitals, the validation ignores case! My head spins every time I have to login.

Jernej Simončič �Jan 3, 2023

@lauren There's an extension called "Don't fuck with paste" that works around the first thing.

throAU Jan 3, 2023

@lauren I was just bitching about this earlier today. Cisco UCS manager blocks paste into the login field. Cheers for paying someone to literally make tie product worse

Tom Boutell Jan 3, 2023

@lauren Hard same. The good news is that these "features" are starting to be regarded as vulnerabilities. Hopefully more scanners will start flagging them and they will get hurriedly removed by the same self-anointed experts who misguidedly insisted upon them.

John Deters Jan 3, 2023

@lauren An anti-password-manager policy is a red flag. When I see it, my concern shifts to my data.

If they can't get this one simple outward facing aspect of security right, and they refuse to fix it, what other unseen poor ideas have gone into securing the rest of their site?

The best approach is to abandon your cart and cancel your account, filing a bug report indicating why. Let the business feel the pain.

Lauren Weinstein Jan 3, 2023

@targetdrone Obviously the "cancel your account" approach is utterly impractical in a wide variety of situations.

Michael Kohne Jan 3, 2023

@lauren Yea, both are idiotic. If you run into the 'no paste' thing a lot, I recommend setting up a utility so you can have the computer 'type' the contents of the clipboard. Comes in hand in various other situations as well, such as when Word decides it's gonna do freakynthings with the formatting of what you are pasting.

Pepper Jan 3, 2023

@lauren I always use big complex passwords. I had to use a city records website which allowed characters to be used in the password during registration which would trigger a prohibited character error on the log in page.

Steve Hill 🇺🇦Jan 3, 2023

@lauren my go to password for these is “Fuckyou2!” …which is probably just as secure as “Abc1234” anymore

Adam Wolf Jan 4, 2023

@lauren for entering your password, the U.S. government's Treasury Direct website not only blocks copy/paste, but blocks the keyboard altogether forcing you to use you mouse to type on an on screen keypad.

after one time logging in this preposterous way, first order of business for me was to shorten my generated password to the bare minimum allowable 🙃

Lauren Weinstein Jan 4, 2023

@awolf I can't recall seeing that kind of credentials entry UI outside of TV-based apps, where of course it is very common and frustration inducing. At least more sites now permit showing password during entry on request. I argued for that for years.

m0xEE Jan 5, 2023

@lauren Also we've noticed that you switched to a different VPN exit node so we just blocked your account.It doesn't matter if you're sure it was you so we'll just force you to change your password.And you can't change it back to your old secure password that you could actually remember — just use something like IH@teApple123 and use password recovery anyway next time you have to login because you couldn't remember the digits and refused to write it down on sticker🤪