I decided on a whim that it was time to change some of my passwords, as they had been in use for a long time and it was time for an update.
Visiting paypal I quickly logged in with my old password and after fumbling around I found the password change page, entered my password and easily discovered “security questions” and clicked the button to change password.
I already had KEEPASS running (Password manager, https://keepass.info) so all I needed to do was to tell it to create a password at 20 characters using uppercase, lowercase, numbers, space, and whatnot…
I copied in my old password and saw it represented by asterisks and then copied the new password from keepass to the clipboard before attempting to paste it into their field…
boom
Now I’m told that “for security reasons” they would like me to enter the password by hand – which basically means typing something like a&¤#"m^P#¤&^*ô&;MN4 without even seeing which letters you are pressing – because they are being “secure site PRO” and displaying the password you are entering as … asterisks…
I’m fairly competent at typing on the keyboard but I am not going to enter such a password without even knowing if I am entering it correctly.
But fear not, because due to this you can have a password like
“PaypalSUCKS12” and be secure. + its easy to remember and type.
Security by rote, following a checklist provided by malicious consultants who change up the requirements every year so they can keep getting paid. Evidently the 2012 list included “passwords must not be pasteable.” It may not be user friendly, it may actually lead to inferior security, but at least it’s not totally insecure, that’s something.
Security by improvisation, by people who haven’t worked in the field, who decide that it’s fine to save the password file on an Internet-facing webserver or to use SSNs as customer IDs or to use unsalted hashes. On any average day you can see a story in the Register about some major bank, healthcare provider, or online financial service who inexplicably went with this approach.
Security by competent knowledgeable experts who tailor an appropriate solution for the needs of the operators and the users.
Oh yeah, you can’t choose number 3, because, well, I don’t know, but you can’t. I suppose someone keeps Bruce Schneier’s firm employed, but obviously Paypal isn’t doing so…
Given what I know about web development, I suspect typing a little bit in the field, then deleting what you typed and pasting in the password might possibly work?
Worth a shot anyways.
Also worth trying: paste it in two parts, or type the first character and paste the rest.
Suspect it is just a javascript that stops me from right clicking or using ctrl-c so I should be able to work around it, still very annoying.
@Mira; Yea. I love how my email address became the de-facto login everywhere at one point, instead of allowing you to create your own username. I miss being able to have a public Email address without giving the haxx0rs part 1 of the puzzle. But these days they just dump everything and use a cloud-based password cracking tool anyway…
I haven’t run into that yet and I can tell just by reading it that it would send me through the roof. That does absolutely nothing to improve security.
The really annoying part is that the whole anti-cut-and-paste measure appears to be completely pointless, because there isn’t any reasonable scenario in which a hacker would be cutting-and-pasting passwords into the entry field anyway – obviously they would automate access attempts through a script that would seem to be typing the values just like a user.
There are two non-social-engineering ways to hack passwords for a particular account that target the website itself:
Keep trying dictionary attacks through the actual login UI. This is trivially defeated by suspending login attempts for a few hours after 3 to 5 failures in a row.
Hack the website and obtain the password file, hopefully in clear (if the site is really stupid) or unsalted (if merely incompetent). To do this, the attacker must more or less have taken over the website already, unless some collaborator in IT made a copy of the file, in which case the site is also screwed.
Other methods like trojans that run keyloggers are the user’s problem, not the website’s anyway.
So assuming your website security wasn’t set up by absolute imbeciles, it seems to me there’s no need for fancy measures. This is after all why the major failures make the news; most sites are secure enough for most purposes without having to invent new features to annoy their users.
Thank you for contacting PayPal regarding to copy and paste your
password.
For security reason you have to always remember your password
and never save on your PC. For this reason you cannot copy and paste
your password in our system.
Your password not only protects your bank account details and credit
card number, but all other personal data in your PayPal account. A well
thought out password helps protect you from fraud.
Well, the problem isn’t remembering my current password and entering it, Cut-and-paste works there…
But when you make a new password you are prevented from cut-and-paste’ing it…
And if you want to make your new password complex enough it is tricky to type it correctly when all you see are “*” as you enter keys.
–
It is even more awesome that you are allowed to PASTE your existing password when you login, AND when you enter it again upon password change, but you are NOT allowed to paste in a new password…
Edit: Figured I should block the offending javascript code but didn’t find a plugin for that for chrome, so I fired up Opera and it allowed me to paste a new password – even though the web site warned me that I was not allowed to paste a password.
