Kevin P. FlemingJan 28, 2023

In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site.

They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use!

Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex.

#Password #SecurityTheatre

Show threadDarren
@kevin is that an attempt to hinder keystroke loggers ? That’s pretty lame still.
Jan 28, 2023 at 4:54pmWeb
Show threadLisPiJan 28, 2023

@dplattsf @kevin The funny part is that there's no reason a keylogger couldn't just change what browser a user is actually running, or what dynamic libraries it loads when started.

Local code execution typically isn't very hard to escalate further either (and so many things demand admin rights when installing, just hide the keylogger in an anticheat or something), so protections to mitigate that are likely to fail anyway.

It's anti-user, nothing else.