Mastodawn

Kevin P. Fleming

In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site.

They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use!

Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex.

#Password #SecurityTheatre

Stefano Pacifico 🧬 🇺🇦Jan 28, 2023

@kevin had the same thoughts and resorted to some JavaScript :(

Mark Crocker Jan 28, 2023

@stefpac @kevin as in a #GreaseMonkey script that could be reused or shared, or a little browser console hacking?

John Gordon Jan 28, 2023

@kevin Some time ago NIST, which gov follows, made noises about redoing their always bad and long obsolete password recommendations. I don’t know if they ever got out. Maybe they would have embarrassed too many.

In my fed days I was told we must memorize all our passwords, never write them down, and change them monthly ….

Michael K Johnson Jan 28, 2023

@jgordon @kevin NIST published their changes years ago and made a lot of noise about it. I frequently search this up and provide it to folks demanding LUDS and short password expiry...

John Gordon Jan 28, 2023

@mcdanlj @kevin

Good to know! When I last looked they seemed stuck in some pre-release state.

Michael K Johnson Jan 28, 2023

@jgordon @kevin 2017, with small updates in 2020. Search for "nist password requirements" finds it and related documents.

https://pages.nist.gov/800-63-3/sp800-63b.html

5.1.1.2 Memorized Secret Verifiers
...
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

Passwords obtained from previous breach corpuses.
Dictionary words.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context-specific words, such as the name of the service, the username, and derivatives thereof.If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

...

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

NIST Special Publication 800-63B

NIST Special Publication 800-63B

John Gordon Jan 28, 2023

@mcdanlj @kevin

I had it wrong then … i probably last looked 2020. Thanks!!

akgood Jan 28, 2023

@mcdanlj @jgordon @kevin and there's a major draft update out for review right now that further changes all those SHOULDs to SHALLs

https://pages.nist.gov/800-63-4/sp800-63b.html

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Michael K Johnson Jan 28, 2023

@akgood @jgordon @kevin Thank you! That's awesome news.

Verifiers SHALL allow the use of password managers. To facilitate their use, verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. Password manangers [sic] may increase the likelihood that users will choose stronger memorized secrets.

I wonder how one would generally allow the use of password managers without allowing paste?

🤔

John Gordon Jan 28, 2023

@akgood @mcdanlj @kevin

I think sometimes the crazy change mandates are a way to lazily disable access once an employee leaves… (eg. nobody cares about security…)

Brian Duffy Jan 28, 2023

Usually the gotcha is that people with AD based identity don’t have tools for identifying the bad passwords from breaches, etc. You can either spend some dollars OR have complex passwords.

Martin Gleadow Jan 28, 2023

@jgordon @kevin they did. I still have to argue with auditors who expect behaviours now considered counterproductive by NIST (and in the UK, NCSC)

The one that causes the most friction is enforced password rotation, which just causes ${sports team}.${month number} passwords.

I once worked somewhere where 90% of the employees passwords right now would be blades01 or wednesday01

(Both local football (soccer) teams here)

Garth Kidd Jan 28, 2023

@jgordon @kevin NIST changes did get out! No periodic resets, prioritise length over complexity rules, use password blocklists… some great stuff in here https://pages.nist.gov/sp800-63b.html

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Michael K Johnson Jan 28, 2023

@kevin Good thing that all US government web properties comply fully with accessibility requirements. /s

Cassandrich Jan 28, 2023

@kevin Absolutely an ADA violation. That 🤡🚗 virtual keyboard they paid some contractor $5M to make is NOT accessible.

Misuse Case Jan 28, 2023

@dalias @kevin That’s a good point. Where were their Section 508 compliance people? Was that part of the contract?

bertrand 🏃 👨‍💻 🎸Jan 28, 2023

@kevin 🤦‍♂️
#password #securitytheatre
https://mastodon.km6g.us/@kevin/109766908578809142

Kevin P. Fleming (@[email protected])

Attached: 1 image In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site. They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use! Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex. #Password #SecurityTheatre

KM6G Mastodon

Jernej Simončič �Jan 28, 2023

@kevin Hey, at least the keyboard is standard QWERTY layout. My ex-ex-bank had a virtual keyboard that randomised keys between clicks and later also changed clicks into hover for a second over the key.

Jernej Simončič �Jan 28, 2023

@kevin I wrote my first (and only) userscript then: https://eternallybored.org/misc/scripts/noReadOnlyPasswordFields.user.js (was using Opera at the time).

John W. O'Brien Jan 28, 2023

@kevin Yes, and...

Bad news: 2FA is email-only
Good news: The treasury.gov MTA is IPv6-enabled
Bad news: It suffers from a PMTUD blackhole

Fuzzysteve Jan 28, 2023

@kevin Well, that probably makes shoulder surfing even easier. I'm guessing there's a visual feedback for each key press (other than a star appearing.)

Tom Harrington Jan 28, 2023

@kevin @cstross as I recall that one used to also randomize the on-screen key layout, so that you’d always have to hunt for keys

PeterD 🇩🇪 🇨🇦Jan 28, 2023

Stewart Russell Jan 28, 2023

@kevin how can that ever pass accessibility requirements?

Zathras Jan 28, 2023

@kevin Keyboard Maestro on my Mac can beat that with the “click on image” macro.

Unixorn Jan 28, 2023

It's a huge fuck you to anyone with accessibility issues.

gribeco Jan 28, 2023

@kevin I think this is intended to thwart keyloggers? It’s a common pattern on French bank sites as well. Also, pasting from a password manager works iirc.

Darren Jan 28, 2023

@kevin is that an attempt to hinder keystroke loggers ? That’s pretty lame still.

LisPi Jan 28, 2023

@dplattsf @kevin The funny part is that there's no reason a keylogger couldn't just change what browser a user is actually running, or what dynamic libraries it loads when started.

Local code execution typically isn't very hard to escalate further either (and so many things demand admin rights when installing, just hide the keylogger in an anticheat or something), so protections to mitigate that are likely to fail anyway.

It's anti-user, nothing else.

Mike Garuccio Jan 28, 2023

@kevin so frustrating when security teams value extremely low-probability attacks like keyloggers over high probability issues like password reuse.

Hubert Figuière Jan 28, 2023

@kevin French bank for 20 years.

ares Jan 28, 2023

they found a keylogger attached to the director's laptop and vowed never again

Magitism Jan 28, 2023

@ares @kevin Something like this is probably not far off from the truth.

Peter Murray Jan 28, 2023

@kevin I haven’t been to that site in most of a decade, but I seem to recall that they randomized the character positions as well. From your screenshot, it at least appears that isn’t the case anymore.

zhenech Jan 28, 2023

@kevin at least the keys are qwerty and not abcdef or yolorando? 🙃

Andrew Jorgensen Jan 28, 2023

@kevin sounds like a job for GreaseMonkey.

Why aren't they making this login.gov's problem?

Cassandra Granade Jan 28, 2023

@kevin Seems like it'd be hard to hash in a case-insensitive way, which leads me to think they store passwords in plaintext...

mtp Jan 28, 2023

@kevin At least right-click, inspect element, and edit the value attribute by hand works.

Jochie 👨🏻‍💻🏳️‍🌈Jan 28, 2023

@kevin FWIW, 1Password fills in that field just fine. I agree it _is_ obnoxious that TD does it this way.

Nick Felker, 🗽🇺🇦🇹🇼Jan 28, 2023

@kevin whenever I need to log in, I open developer tools, focus on the input, and set the input value directly

スパックマンクリス Jan 28, 2023

Next update, they should randomize the keys on the board for each login attempt, to prevent someone getting your password by watching the mouse move.

Then, for even more extra security, there should be a 30-second timeout on password entry. This would be the most securest site ever!

(I hope this doesn't need a #sarcasm tag, but just in case, there it is.)

Leos Kral Jan 28, 2023

@kevin Ha! Just suffered through logging into that site yesterday while invoking most of my swear word vocabulary 🙂.

Sebastian Reiners Jan 28, 2023

@kevin Do I want to know how well the whole thing works with a screenreader?

robert daniel pickard Jan 28, 2023

@kevin it's like skeuomorphism for those shitty membrane keyboards on public interfaces in the time between clicks buttons and touch screen

Matt Hauger Jan 28, 2023

@kevin @anildash Happy accidental discovery: Safari’s password manager automatically populates this broken form field on treasurydirect.gov.

Anand R Jan 28, 2023

@kevin As a long time user of that cursed website, this is actually the user-friendly version of their login.

ArgentCorvid Jan 28, 2023

@kevin this is the website you go to in order to cashout or buy US Savings Bonds.

JLab8 Jan 28, 2023

@kevin the most secure website is one so difficult to use that nobody ever does.

Chris Conway Jan 28, 2023

@kevin
I'm guessing you are fully capable of Googling this but, just for the record, make a bookmark with this as the URL and click it when you're on the login screen:

javascript:(function(){document.querySelector(".pwordinput").removeAttribute("readonly")})();

https://thefinancebuff.com/password-manager-i-bonds-treasurydirect.html

Steve1981 Jan 28, 2023

@kevin
My guess would be that is an interface to a 3270 emulator, and the developer can no longer count on modern keyboards to replicate all the IBM PC/AT signaling.

Miles Jan 28, 2023

@kevin did nobody tell them that you can script click events in JavaScript? If they’re doing this out of hacking fears, it’s not much of a deterrent

Jonathan Jan 28, 2023

@kevin This has always bothered me. I think it's literally the only website I use that does this. I did just discover that Safari will save your password and recall it once you sign in once which I don't recall happening before but maybe I just wasn't paying attention. Doesn't help with accessibility though.

James Elliott has moved Jan 28, 2023

@kevin how timely, I was reminded and infuriated by this while logging in last night and being blocked from using my password manager to paste my long, high entropy random password.

💀 𝓕airchild 💀Jan 28, 2023

@kevin How in the ever-loving hell can that be ADA compliant???

semiquaver Jan 28, 2023

@kevin Safari is able to store and enter the password for Treasury Direct somehow happily... (after initial entry via clicking sadly...)

@kevin Without a doubt the most security oriented financial site I've ever used.
I just wish they spent a little more time with properly formatting a downloadable 1099. What a mess 🙄

Julian West🦞Jan 28, 2023

@kevin agree this is the dumbest UI in the known universe. Who did they get to design this??

Julian Jan 28, 2023

@kevin Even better: Case insensitivity means that the password must be stored in clear text

Kevin P. Fleming Jan 28, 2023

@julian_beides Naah, they just case-fold it before hashing.

Julian Jan 30, 2023

@kevin Oh right, that works too