Lucas Gonze (infosec posts)
Nicholas C. ZakasRepeat after me: Blocking paste on a form textbox is not a security feature.
ravi@nzakas Stop the madness is your friend!
Juan Alvarez
Jernej Simončič �
〽️arat@ravipatel could you tell me if this app can prevent showing cookies requests on iOS and macOS? I didn’t find any information on its website.
Super Agent for Safari
Super Agent automatically fills out website’s cookie consent forms for you based on your preferences. Super Agent’s mission is to make privacy simple, by giving power to users to decide if and how they want to be tracked and ensure that their options are automatically applied with no effort. We’re a…
eyrea 🇨🇦@ravipatel @nzakas That's really cool! 🤩
If only it were unnecessary 🤔.
Adam - The Funny Brain@ravipatel @nzakas fantastic! :) I'll be looking into if there's a Firefox equivalent, as that looks incredibly useful :)
Patrick H. Lauke@nzakas and, incidentally, will likely then fail proposed WCAG 2.2 SC 3.3.8 Accessible Authentication https://www.w3.org/TR/WCAG22/#accessible-authentication-minimum
Web Content Accessibility Guidelines (WCAG) 2.2
Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of recommendations for making web content more accessible. Following these guidelines will make content more accessible to a wider range of people with disabilities, including accommodations for blindness and low vision, deafness and hearing loss, limited movement, speech disabilities, photosensitivity, and combinations of these, and some accommodation for learning disabilities and cognitive limitations; but will not address every user need for people with these disabilities. These guidelines address accessibility of web content on any kind of device (including desktops, laptops, kiosks, and mobile devices). Following these guidelines will also often make web content more usable to users in general.
aburka 🫣@nzakas What about the one I just had the misfortune to use that blocks paste, right click, *and backspace* in the password field?
Jennifer Kayla | Theogrin 🦊
StarkRG
D2
Jules@aburka And backspace? Evil.
Erik Ableson@nzakas @lisamelton any time I see this message I’m boosting it
The Duke of Fall 
@nzakas @lisamelton It has been my career experience that such systems are almost always mandated by people who don't have to use them daily, if at all. It is such a pervasive anti-pattern used by folks who (mistakenly or not) confuse "security theatre" for security.
hakerdefoMy bank is still not listening 🦻
They want their customers to use longish passwords and they also block the paste functionality 🔑
One can always drag-drop the text into the paste protected field without any problem. No need for extensions.
Cassandrich@hakerdefo @nzakas Why is the browser letting the site distinguish between paste and dragged text? 🤔 🤬
Franz@dalias @hakerdefo @nzakas would be fun to file a bug report to also get the drag forbidden - I bet they would do it 😆
@zalintyre lol, some folks (ಠ_ಠ) just want to see the world burn.
JohnWA lot of people are probably turning to phrases like: This.C0mpany.Can.F***-0ff!
Theriac@the_Effekt @hakerdefo @nzakas
an interesting anecdote - years ago I remember getting messaged by a forum admin that I needed to change my password, which was a variant on your schema.
an interesting anecdote - years ago I remember getting messaged by a forum admin that I needed to change my password, which was a variant on your schema.
Doug Tabacco@nzakas *taps forehead* Can’t steal my info if I get annoyed and stop signing up!
Dreamwinder@nzakas I want this reboosted at least once a week.
Ken Anderson@nzakas @lisamelton AMEN! (I'm not religious but that's how strongly I agree with your statement. 😀)
parx 
@nzakas Especially when you use a password manager. As if I'm going to type my 32 character random number/letter/symbol password by hand - I just open the console and stuff it in with JavaScript lol
Elias Mårtenson@loke @nzakas I once had senior leadership make the request "don't allow the user to copy+paste this image" because it contained sensitive information.
When asked "what about when they hit 'printscreen' on their keyboards", their brains broke.
If not that, they'll take a picture of the screen with their phone.
If somebody wants something you've already served them up on their screen, they'll find a way to get it.
Mingo 🦩 Hagen@nzakas it sort of is, it’s keeping me out of their system.
Assal Horizontology@nzakas I hacked together an Alfred workflow a couple months back after getting particularly pissed at a site that did this. The workflow turns the clipboard into simulated keystrokes and uses AppleScript to type them.
I get a little glee every time I use it on a site.
Stuart Celarier ❌👑
Don Marti@nzakas if you don't let me paste from my password manager then my password on your site is xyzzy123!
Coach Leftist DieselOMG rage. They're just ensuring that I eff it up. Copy/paste is a survival skill for me.
ThatKomputerKat 
@nzakas Flip side: creating an API that allows sites to block paste or otherwise distinguish between paste and manual entry of characters is malice by the browser.
Thomas Casteleyn@zalintyre @Hipska @nzakas That's exactly how paste should work: as an input method where the application sees all the text entry event at once, like when you finish selecting characters after typing pinyin. No way to disallow paste without also being unlawfully inaccessible.
Kevin Karhan 
@nzakas it's an #AntiSecurity-Feature since it prevents people from using #PasswordManagers, resulting in weaker Passwords like:
Idonthavetimef0rthis$it!
instead of some solid password generated with cryptographic randomness...
Like a 128-digit password...
https://github.com/kkarhan/misc-scripts/blob/260f087c8337417c69f94787358abf4faf5090f9/bash/.bash_aliases
ShadSterling@kkarhan @nzakas it’s worse than that, so many analytics libraries include keyloggers that a manually typed password on most sites should be considered compromised
(Tho there’s also malware that tries to replace anything on the clipboard that looks like a crypto wallet address with the attackers wallet address, which will replace some randomly generated passwords, so I guess using the clipboard isn’t all that secure either)
@ShadSterling @nzakas well, I just block all but whitelisted Cookies and JS.
And Yes, #Cryptojacking is a problem in general...
Needless to say users can't be made liable for shitty #ITsec of the company who's website they log in.
Point is: #PasswordManagers are the most secure option - period.
@nzakas please #NameThemBlameThem for being ableist assholes!
https://mstdn.social/@kkarhan/110614418520828222
https://mstdn.social/@kkarhan/110614418520828222
Kevin Karhan :verified: (@[email protected])
@[email protected] it's an #AntiSecurity-Feature since it prevents people from using #PasswordManagers, resulting in weaker Passwords like: Idonthavetimef0rthis$it! instead of some solid password generated with cryptographic randomness... Like a 128-digit password... https://github.com/kkarhan/misc-scripts/blob/260f087c8337417c69f94787358abf4faf5090f9/bash/.bash_aliases
Coo-Ops@nzakas this and password managers.
Also those that use a hidden honeypot field that password managers can't recognise.
Григорий КлюшниковHere's a useful extension: https://github.com/jswanner/DontF-WithPaste
mav 
@nzakas true, but you have to admit that opening up the dev tools, unbinding their stupid paste event handler and then pasting your password in does feel kind of like being a superhero
highly principled invertebrate
EndlessMason@nzakas those forms that say "repeat email" and then don't let you paste, turn off autocomplete, and then only do validation onKeyUp...
Now instead of carefully checking my email address I'm rummaging in your dom to delete attributes from your form fields
@EndlessMason @nzakas rummaging in yer Dom feels like a punk lyric.
@InkomTech @nzakas I'd go to that show
Andreas K@nzakas Ah, but it can drive your users to madness.
It's a make work for mental health professionals thingy.
Anyway, I would literally have to think of how you can do “security” on the client side, well, basically the same way you would do in any client delivered directly onto the PC of the user, written in an interpreted language.
You'll notice that our beloved overlords from Hollywood insisted that their DRM is embedded into the browser VM, not running on top it.
👾 Attila Gonda@nzakas on a similar note: having SIX one-character input field for two-factor authentication codes are not accessible no matter how many JavaScript magic they put on it.
fahru@nzakas YES southwest gas need to hear this 🙃