Dear people who make websites,
Do you ever block your users from being able to paste into a text field?
Why?
Do you need this ability for a good reason? What’s that reason?
Or, as a user, would you like to see it go away? Perhaps you encounter sites that prevent you from pasting your super complex password from your password manager into a password field, and wonder why they can do so?
What might be the downside of removing support of disallowing pasting from the web?
@jensimmons
The only time it has saved me is when a site asked for my password twice. I usually copy and paste it from the first. But this time I'd made a typo. Retyping it helped me validate I'd got it right.
But that's about the only time it has ever been useful for me.
@lightandshadow @ben @Edent @jensimmons
Umm.. Yes? Of course? Not sure why you're asking...
@Br3nda @ben @Edent @jensimmons Whether you can paste it or not doesn’t seem to be relevant. It’s already copied to the clipboard, which would make it vulnerable.
I wouldn’t try to copy some random string to see if I could paste it into a password field. I would copy an actual password, then try to paste it. At that point, wound’t it be too late?
@Br3nda FWIW, the modern version of Android only lets the foreground app read the clipboard. And the OS displays a little notification to tell you it has happened.
https://developer.android.com/about/versions/10/privacy/changes#clipboard-data
I don't know about iOS or other OSes though.
@jasonkarns @ben @Edent @jensimmons
yeah it does prevent you copying it there every day.
It's not a good argument to disable paste, for sure.
But the model of copying passwords isn't a good idea.
@Br3nda @ben @Edent @jensimmons there’s an argument, yes. It isn’t a good argument at all.
Because that argument is basically “we’re going to break accessibility and standard conventions for security” and it doesn’t even actually make anything more secure. Any malware that can monitor the pasteboard can also monitor the form field and keyboard input, so you’ve gained nothing.
It is 100% bullshit security theater.
@Br3nda @ben @Edent @jensimmons
This is only true, aiui, for Windows.
In *nix OS, everything runs as a specific user. While I am logged in, apps I start up run as me, and only apps running as me have a chance to see my clipboard.
On Linux OSes using Wayland, there is a further wrinkle: the compositor is the only thing which can read from my clipboard,
So for something malicious to happen it has to
a. already be in the OS,
b. be running as me,
c. and be recognized by the compositor.
1/
@Br3nda @ben @Edent @jensimmons
But another thing to keep in mind is: for passwords, you do not need to use the clipboard.
With #KeepassXC's browser extension, you can have it type the password. I am sure other password database systems have similar features.
2/2 fin
@dozymoe @amgine @ben @Edent @jensimmons
Also getting it set up means trusting it as a browser extension or phone keyboard or whatever other mechanism it uses.
@Br3nda @dozymoe @ben @Edent @jensimmons
Indeed. But it is signed by a multi-person encrypted key, and the browser will not allow it to run if it does not match every certificate.
I do not know enough about how it operates to be sure, but I do not believe it runs as a keyboard on a phone. I think it runs entirely within the browser.
More importantly, it is made by people whose project and passion is to secure passwords.. I expect they are under greater targeted scrutiny than average.
@Br3nda @dozymoe @ben @Edent @jensimmons
😄 I think the average non-tech person does exactly what you are doing! approach it very cynically, with lots of caution, asks the tough questions and demands answers.
EXACTLY‼️
Keepass is on your machine, not someone else's. When you are a website trusted by tens of thousands of people with their most-trusted passwords and certificates, you are a Big Important Target because all someone has to do is get lucky once for a big payout.
But when everyone has their passwords on their own machines distributed all over the world, the bad guys have to get lucky tens of thousands of times. And no one of them is likely to be super valuable.
I recall in the first hours after the Christchurch quake I was working in an emergency response helpline and trying to copy paste official info to someone and the government website would pop up "image stealing is not allowed" anytime I right clicked.
Most people don't use a password manager.
And, at the time, mine didn't let me autogenerate a new email address per site.
For normal users who only use one email address, it is *probably* sensible to help them make sure they've typed their email addresses in correctly.
Preventing paste isn't ideal - but I bet it stops a large number of user errors.
Jen Simmons
Terence Eden
Ben Hardill
Potato Enthusiast 🇵🇸
lightandshadow
jasonkarns
calcifer 🧯
Amgine
Fahri Reza 🍉
Ellie 🏴🏳️⚧️
DaanWilmer
Angie
ChefRaven