Kevin P. FlemingJan 28, 2023

In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site.

They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use!

Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex.

#Password #SecurityTheatre

Show threadスパックマン クリス

@kevin

Next update, they should randomize the keys on the board for each login attempt, to prevent someone getting your password by watching the mouse move.

Then, for even more extra security, there should be a 30-second timeout on password entry. This would be the most securest site ever!

(I hope this doesn't need a #sarcasm tag, but just in case, there it is.)

Jan 28, 2023 at 5:27pmWeb