Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security The Internet

A Plea For Websites To Stop Blocking Password Managers 365

An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
This discussion has been archived. No new comments can be posted.

A Plea For Websites To Stop Blocking Password Managers

Comments Filter:
  • by Anonymous Coward

    Well some sites don't want scripts interacting with the password fields. This could be a way to stop some malware from scraping user passwords from input fields.

    • by Z00L00K ( 682162 )

      Another factor - do you trust the password manager?

    • by jarfil ( 1341877 ) on Monday July 27, 2015 @05:11AM (#50188383) Homepage

      Except it doesn't stop shit.
      Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.

      • by TheRaven64 ( 641858 ) on Monday July 27, 2015 @05:56AM (#50188489) Journal
        JavaScript can also intercept the contents of the clipboard. If you're blocking password managers, then people are going to do one of two things. Either they'll pick a (weak) easy-to-remember password, or they'll use a password manager and paste the password in. If they opt for the latter, then any malicious ad on the page can grab the password while it's in the clipboard...
        • by MrL0G1C ( 867445 )

          Which is one of the many reasons why JavaScript clipboard functions should only be allowed for white-listed sites.

          If anyone knows of an extension to fix this I'd like to know.

        • by MrL0G1C ( 867445 )

          Found one, apparently no whitelist though.
          Disable clipboard manipulations [mozilla.org]

        • by Zalbik ( 308903 ) on Monday July 27, 2015 @10:24AM (#50190173)

          JavaScript can also intercept the contents of the clipboard.

          Not by default it can't.

          True there are potentially bugs in implementation or bad configurations that allow scripts to read the external clipboard, but the same argument could be made against password managers. Poor security / configuration of the browser could allow scripts to read the password provided by the password manager.

    • by MrL0G1C ( 867445 )

      Doesn't make sense, if you have malware it could be keystroke logging - which would make a password manager more, not less secure if it auto-fills the user+password fields the user+password might not get sniffed.

  • And that works fine for me. (using keeppass)

  • One work-around - that doesn't work with OpenERP, is a little javascript I use as a bookmarklet.

    javascript:(function(){var%20ac,c,f,fa,fe,fea,x,y,z;ac="autocomplete";c=0;f=document.forms;for(x=0;x<f.length;x++){fa=f[x].attributes;for(y=0;y<fa.length;y++){if(fa[y].name.toLowerCase()==ac){fa[y].value="on";c++;}}fe=f[x].elements;for(y=0;y<fe.length;y++){fea=fe[y].attributes;for(z=0;z<fea.length;z++){if(fea[z].name.toLowerCase()==ac){fea[z].value="on";c++;}}}}alert("Enabled%20'"+ac+"'%20on%20"+c+"%

  • by invictusvoyd ( 3546069 ) on Monday July 27, 2015 @04:39AM (#50188325)
    Prioritization of passwords i.e. choosing complex ones for a few critical accounts/services and "easy to remember" ones for non critical things can eliminate the need for managers . As someone pointed out , managers are all eggs in one basket.
    • by gmack ( 197796 )

      Or the way I do it: Complex passwords for a few critical accounts and my password manager. Sites that don't hold my personal or financial info get to use the password manager

    • by Overzeetop ( 214511 ) on Monday July 27, 2015 @07:07AM (#50188707) Journal

      Managers are like placing all of your eggs in one basket which has been specifically designed for carrying eggs, with proper separation and cushioning against nearly all common shipping contingencies.

      Having a couple of really secure passwords and a couple of throwaways is like putting a couple of small eggs in your back pocket and carrying the big ones in your hands. Much more convenient, and only as secure as you are diligent.

    • Hard to remember for a human being doesn't mean it is hard to break for a computer program. The real problem is the limit on the number of characters a password can have on some sites. Limiting a password to 6 to 8 characters limits the entropy of a password, hence the requirements for special characters, non-repeating characters (in fact it reduces entropy by some security admins seems to think it is a good idea), numbers and so on.
  • I mean, can I sue a site for forcing me to use an easy password, which then gets hacked?

    • I mean, can I sue a site for forcing me to use an easy password, which then gets hacked?

      Can they sue you if you expose your account details? something like 1 in 3 machines have some sort of malware on them (yet if you ask people nearly everyone will say there machine is clean, 1 in 3 of them are wrong), I can't really blame any site for being unwilling to let any additional software apart from your browser interact with credential fields on their site if the site holds anything of value.

      • On another hand, there is still websites registration systems which once the process is completed send you your password in plain text in a email for you to easily remember and store in you mailbox.
  • by EmperorArthur ( 1113223 ) on Monday July 27, 2015 @04:52AM (#50188343)

    While it's true the site operators are at fault, I also blame the browser makers.

    Many websites don't allow copy or paste, or even selecting/highlighting text.
    While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.

    Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.

    • There are a couple of legitimate uses for sites to interfere, with select/copy in certain very restricted cases.
      1. Using the no-select attribute on buttons (or text styled as buttons). Otherwise, it's very easy to accidentally select the button text when you mean to click it - and that's just a UI mistake.
      2. When an image is meant not to be re-shared (e.g, a personal photo on a social or dating network), intercepting right-click with a message asking the viewer not to take a copy.

    • Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.

      Firefox used to have a settings dialog that allowed you to choose how much control you wanted JavaScript to have but then Mozilla in all their wisdom decided to remove those options when they removed the settings to disable JavaScript all together. I'm not entirely sure what the rationale for that decision was because making JavaScript and all its hooks absolutely mandatory doesn't seem to benefit the user in any way.

  • Whenever I see some financial or health care site that has a stupid limit like "8-16 characters, letters and numbers only and only one of these three non-alphanumeric characters" I struggle with free market principles and not saying "there ought to be a law..." In fact, it'd be easier on people to just let them use a phrase that has a meaning only to them. You know, a sentence that has numbers in it and goes on to something like over 128 characters easily.

    • by Vokkyt ( 739289 )

      Keep in mind this often has nothing to do with any actual decision by the administrators/managers at the institution and everything to do with the financial/healthcare system provider. Healthcare in particular is plagued with lowest bidders trying to scam money out of the institutions from doctors and upper management that know nothing about technology and security.

      At the end of the day, these decisions are the result of lazy programmers looking for a quick buck, not a conscious decision. The actual HIPPA

    • by jonwil ( 467024 )

      If you are writing software that takes in a password and you are hashing the password to compare it to a stored hash, there is no reason at all to restrict the maximum length of a password or prohibit certain characters from being used in it.

      If you are writing software that takes in a password and you are NOT hashing the password (but instead storing it in the clear or otherwise doing something with it), you shouldn't be writing software involving passwords in the first place (I can't think of a single vali

    • I just had this conversation on a visit with a friend. The worst are the sites that have all the "strong password criteria" and then do something idiotic like limit you to a certain number of characters. Those are mostly going away. The best thing to do would just to be mandate a good minimum length and suggest people make up nonsense phrases, then they would be likely to remember them and they would also be likely to be useful passwords.

  • I have some generic passwords that I use for non-critical accounts. For critical accounts, I have some pretty tough password-generated things. I have a list of them encrypted on my hard disk, so that I can throw some away if/when the need arises, and grab another. But - I can't copy paste them everywhere. How the hell am I supposed to EVER memorize those damned passwords? Just let me copy paste them, FFS.

    A real "Password Manager" would be even better - if I find one that I trust, and I'm comfortable us

  • by DrXym ( 126579 ) on Monday July 27, 2015 @06:51AM (#50188627)
    Another commonplace annoyance is sites of no consequence that ask for an email address and for some unknown reason require it to be entered twice. And to stop people working around this fuck wittery they block copy & paste. I might understand the need to enter an email twice if it were a tax form or suchlike, but many sites are simply doing it for no meaningful purpose at all.

    Some sites and wifi hotspots double down on this annoyance by inflicting it on their mobile pages too. So you have to enter an email twice from a handset. And just in case that wasn't enough, they fail to specify the field is for email so the phone browser's autocorrect fucks it up as you type it.

  • by MightyDrunken ( 1171335 ) on Monday July 27, 2015 @07:00AM (#50188671)
    Websites have disabled autocomplete on password fields to prevent browser bases password managers from working. In response to this many browsers ignore autocomplete=off on password fields. I ran into this behaviour on a user administration screen, the browser was trying to fill in my password into the other users password field. I could not stop the browser from autofilling in the wrong password.
  • by ruir ( 2709173 ) on Monday July 27, 2015 @07:02AM (#50188691)
    So many talking about securing passwords and not single mention to double factor authentication...
    • So many talking about securing passwords and not single mention to double factor authentication...

      Something you know, and something that can be stolen or lost, I think that's how the saying goes, right?

      2FA is cool in principle, but I live in the sticks and don't have high-speed internet and I use a prepay plan which charges me daily because it fits my current usage patterns. It would cost me money to use 2FA.

  • have a feature that "types" your password in the box instead of having to copy paste it.

    Problem -> solved.

  • by sims 2 ( 994794 ) on Monday July 27, 2015 @08:31AM (#50189075)

    The nicsez check website comes to mind.

    You know to one that's used to run background checks for guns in 36 states or so?

    If I recall correctly its forbidden in the terms to use a password manager.

    And you have to change the password every 90 days.

  • I stopped using traditional "passwords" years ago and switched to a derivation algorithm instead.
     
    I never have to remember a password because I can derive each one easily. Does anyone else use this strategy?

  • The article mes a good point: preventing paste into a password field just encourages people to use crappy passwords that are easier to type. The same applies to that silly convention of asterisk masking in password fields. The inconvenience massively outweighs that one time in a hundred that masking prevents a shoulder-surf attack.

    Can we develop a standard HTML interface for password managers, with built-in safeguards against malware usage? Any compliant PM would connect with any compliant login screen.

  • by xororand ( 860319 ) on Monday July 27, 2015 @09:49AM (#50189809)

    KeepassX [keepassx.org] does not use the clipboard but instead simulates actual typing, with a configurable delay.
    When you select a password entry and press Ctrl-v in KeepassX, it hides itself, switches the focus to the last active window and types the password.
    This also protects you from accidentally leaking password to remote desktop sessions or virtual machines that synchronize the clipboards.

  • by Jim Sadler ( 3430529 ) on Monday July 27, 2015 @10:43AM (#50190395)
    Not only password managers but institutions are screwing up online security and it has to be deliberate. Banks have vast restrictions on what one can use for a password. Really only weak passwords are allowed at many banks. Every night on the news we here whining about lack of security in financial transactions over the net. Yet the banks refuse the use of strong passwords. Other people must be noticing this. why is there no outcry?
  • by 0100010001010011 ( 652467 ) on Monday July 27, 2015 @12:39PM (#50191455)

    I gave up on trying to remember increasingly complex passwords and just remembered how to make them. Computers are great at doing complex math humans aren't. Humans can remember some things very easily (Correct Horse Battery Staple).

    Then I only have to remember or write down 3 things: The 'password', the length and the mapping.

    echo -n $password+$user+$website | sha256 | cut -c1-$length | [mapping]

    Where mapping maps the hex codes to a-z, a-Z, a-Z0-9, a-Z0-9!-). (You can make up your own charset and just use mod(charset length)).

    For example if my password was 'qwerty' I'd salt it such that my actual slashdot password would be:
    echo -n qwerty+0100010001010011+slashdot.org | sha256 | cut -c1-20
    050e48f9f39d4d481ec3

    It's not that much harder to implement in Python for use on Windows. (I just have a simple GUI).

    If you want to take it a step further just remember a pattern and then a start letter. qwerty, asdfgh and zxcvbn are the same 'password' in my brain. It's "Password 1, start q, a, or z'.

    I have everything written down on how to generate the passwords in a lock box and my wife knows my 'password'. So if I die and everything is locked she could get into any website she wanted just by following the instructions.

    All of our joint accounts do actually use our anniversary. Jan 1, 1980. 01Jan1980, etc are all going to generate different end passwords. You have to know both the date and the formatting, which she does.

    Stop remembering passwords and start remembering how to get to your password.

    • Provided that we now know how your passwords are created, finding your password is essentially not harder or easier than before. From a technical point of view of course. Actually, it probably is much easier now considering that, since you probably rely on your creation algorithm to introduce enough entropy, you probably choose simpler passwords.

Failure is more frequently from want of energy than want of capital.

Working...