Dear people who make websites,
Do you ever block your users from being able to paste into a text field?
Why?
Do you need this ability for a good reason? What’s that reason?
Or, as a user, would you like to see it go away? Perhaps you encounter sites that prevent you from pasting your super complex password from your password manager into a password field, and wonder why they can do so?
What might be the downside of removing support of disallowing pasting from the web?
@jensimmons
The only time it has saved me is when a site asked for my password twice. I usually copy and paste it from the first. But this time I'd made a typo. Retyping it helped me validate I'd got it right.
But that's about the only time it has ever been useful for me.
@lightandshadow @ben @Edent @jensimmons
Umm.. Yes? Of course? Not sure why you're asking...
@Br3nda @ben @Edent @jensimmons Whether you can paste it or not doesn’t seem to be relevant. It’s already copied to the clipboard, which would make it vulnerable.
I wouldn’t try to copy some random string to see if I could paste it into a password field. I would copy an actual password, then try to paste it. At that point, wound’t it be too late?
@Br3nda FWIW, the modern version of Android only lets the foreground app read the clipboard. And the OS displays a little notification to tell you it has happened.
https://developer.android.com/about/versions/10/privacy/changes#clipboard-data
I don't know about iOS or other OSes though.
@jasonkarns @ben @Edent @jensimmons
yeah it does prevent you copying it there every day.
It's not a good argument to disable paste, for sure.
But the model of copying passwords isn't a good idea.
@Br3nda @ben @Edent @jensimmons there’s an argument, yes. It isn’t a good argument at all.
Because that argument is basically “we’re going to break accessibility and standard conventions for security” and it doesn’t even actually make anything more secure. Any malware that can monitor the pasteboard can also monitor the form field and keyboard input, so you’ve gained nothing.
It is 100% bullshit security theater.
@Br3nda @ben @Edent @jensimmons
This is only true, aiui, for Windows.
In *nix OS, everything runs as a specific user. While I am logged in, apps I start up run as me, and only apps running as me have a chance to see my clipboard.
On Linux OSes using Wayland, there is a further wrinkle: the compositor is the only thing which can read from my clipboard,
So for something malicious to happen it has to
a. already be in the OS,
b. be running as me,
c. and be recognized by the compositor.
1/
@Br3nda @ben @Edent @jensimmons
But another thing to keep in mind is: for passwords, you do not need to use the clipboard.
With #KeepassXC's browser extension, you can have it type the password. I am sure other password database systems have similar features.
2/2 fin
@dozymoe @amgine @ben @Edent @jensimmons
Also getting it set up means trusting it as a browser extension or phone keyboard or whatever other mechanism it uses.
@Br3nda @dozymoe @ben @Edent @jensimmons
Indeed. But it is signed by a multi-person encrypted key, and the browser will not allow it to run if it does not match every certificate.
I do not know enough about how it operates to be sure, but I do not believe it runs as a keyboard on a phone. I think it runs entirely within the browser.
More importantly, it is made by people whose project and passion is to secure passwords.. I expect they are under greater targeted scrutiny than average.
@Br3nda @dozymoe @ben @Edent @jensimmons
😄 I think the average non-tech person does exactly what you are doing! approach it very cynically, with lots of caution, asks the tough questions and demands answers.
EXACTLY‼️
Keepass is on your machine, not someone else's. When you are a website trusted by tens of thousands of people with their most-trusted passwords and certificates, you are a Big Important Target because all someone has to do is get lucky once for a big payout.
But when everyone has their passwords on their own machines distributed all over the world, the bad guys have to get lucky tens of thousands of times. And no one of them is likely to be super valuable.
I recall in the first hours after the Christchurch quake I was working in an emergency response helpline and trying to copy paste official info to someone and the government website would pop up "image stealing is not allowed" anytime I right clicked.
Most people don't use a password manager.
And, at the time, mine didn't let me autogenerate a new email address per site.
For normal users who only use one email address, it is *probably* sensible to help them make sure they've typed their email addresses in correctly.
Preventing paste isn't ideal - but I bet it stops a large number of user errors.
@jensimmons I've seen it a few times as a user (Not recently, but 5 - 10 years ago) on high value sites (I.e., banking).
I've never actually heard from anyone who implements this, why they do so. I assume it's a misguided notion of protecting the end user.
Absolutely not a fan.
@jensimmons My old school's SSO page blocked pasting in password fields, which is a big reason why I started using 1Password since it mimics typing. It didn't make anyone more secure, it just punished strong passwords.
I am now out of school but I will die holding this grudge for making me type a 20 character random string every time I wanted to check my email.
@jensimmons I've seen people do this on confirmation fields. E.g., enter your account number a second time to make sure you didn't mistype it the first time. They want to prevent paste to prevent anyone from propagating a typo in the first field.
I suspect that, in reality, a user that's sophisticated enough to copy-and-paste is sophisticated enough to be pasting the value from the source of truth anyway.
@jensimmons Oh, please, I would absolutely LOVE it if that got removed. And while you're at it, please also remove the ability to meddle with copying selected text.
The user locally selects text, and the developer should not be allowed to change what ends up on the clipboard without the user's consent.
@jensimmons To broaden this discussion and give you feedback you didn't ask for ...
I sometimes wonder if we should have a 'Turn off JavaScript' option in the context menu - possibly even suppressing event handlers on a per-element basis.
That would be very useful in a lot of circumstances, including this one.
That used to be a feature on the developer menus of several browsers. Although safari's used to switch it of for every window which occasionally had side effects.
I'm not sure why but it went away a few years ago.
Now you have to get plugins to do the same.
@jensimmons I have never, at any point, encountered a scenario where disabling pasting helped me in any way. I always resent it.
I'd go so far as to say that I don't think JavaScript should be allowed to influence the clipboard at all if it weren't for the fact that some code-generating sites have a "copy source" button that's convenient. Like 90% of the times that a site I use does anything with copying/pasting, it's abused.
Christian Gloddy
Jen Simmons
bunnyhero+
Terence Eden
Ben Hardill
Potato Enthusiast 🇵🇸
lightandshadow
jasonkarns
calcifer 🧯
Amgine
Fahri Reza 🍉
Ellie 🏴🏳️⚧️
DaanWilmer
Angie
ChefRaven
Philip Mallegol-Hansen
BeerIsGood
sam henri gold
mark dorison
Jeremy Elbourn
Ste Grainer
cayleyh
Aaron Gustafson
M@ Bntn 🗽
Jonas Wisser
Fedor Indutny
Sindarina, Edge Case Detective
Paul Shryock
Dayton Lowell
nrk
Sol Kawage
ppk 🇪🇺
mark
John Morahan
Ricard Torres 📷
Michael Kranz
David O'Brien
Keith J Grant
Chris Silverman 🌻