So, is the PAYPAL web page designed by idiots?

Hardware and technical stuff
#1

I decided on a whim that it was time to change some of my passwords, as they had been in use for a long time and it was time for an update.

Visiting paypal I quickly logged in with my old password and after fumbling around I found the password change page, entered my password and easily discovered “security questions” and clicked the button to change password.

I already had KEEPASS running (Password manager, https://keepass.info) so all I needed to do was to tell it to create a password at 20 characters using uppercase, lowercase, numbers, space, and whatnot…

I copied in my old password and saw it represented by asterisks and then copied the new password from keepass to the clipboard before attempting to paste it into their field…

boom

Now I’m told that “for security reasons” they would like me to enter the password by hand – which basically means typing something like a&¤#"m^P#¤&^*ô&;MN4 without even seeing which letters you are pressing – because they are being “secure site PRO” and displaying the password you are entering as … asterisks…

I’m fairly competent at typing on the keyboard but I am not going to enter such a password without even knowing if I am entering it correctly.

But fear not, because due to this you can have a password like
“PaypalSUCKS12” and be secure. + its easy to remember and type.

#2

You’ve got three choices:

  1. Security by rote, following a checklist provided by malicious consultants who change up the requirements every year so they can keep getting paid. Evidently the 2012 list included “passwords must not be pasteable.” It may not be user friendly, it may actually lead to inferior security, but at least it’s not totally insecure, that’s something.

  2. Security by improvisation, by people who haven’t worked in the field, who decide that it’s fine to save the password file on an Internet-facing webserver or to use SSNs as customer IDs or to use unsalted hashes. On any average day you can see a story in the Register about some major bank, healthcare provider, or online financial service who inexplicably went with this approach.

  3. Security by competent knowledgeable experts who tailor an appropriate solution for the needs of the operators and the users.

Oh yeah, you can’t choose number 3, because, well, I don’t know, but you can’t. I suppose someone keeps Bruce Schneier’s firm employed, but obviously Paypal isn’t doing so…

#3

Given what I know about web development, I suspect typing a little bit in the field, then deleting what you typed and pasting in the password might possibly work?

Worth a shot anyways.

Also worth trying: paste it in two parts, or type the first character and paste the rest.

#4

Suspect it is just a javascript that stops me from right clicking or using ctrl-c so I should be able to work around it, still very annoying.

@Mira; Yea. I love how my email address became the de-facto login everywhere at one point, instead of allowing you to create your own username. I miss being able to have a public Email address without giving the haxx0rs part 1 of the puzzle. But these days they just dump everything and use a cloud-based password cracking tool anyway…

Result: 4 email addresses to ‘spread the risk’.

@Wump; I’ll give it a shot. Cheers

#5

I haven’t run into that yet and I can tell just by reading it that it would send me through the roof. That does absolutely nothing to improve security.

#6

If they have a script blocking Ctrl+c, try Shift+Insert to paste instead. Lots of people tend to forget that there are two ways to copy and paste.

#7

The really annoying part is that the whole anti-cut-and-paste measure appears to be completely pointless, because there isn’t any reasonable scenario in which a hacker would be cutting-and-pasting passwords into the entry field anyway – obviously they would automate access attempts through a script that would seem to be typing the values just like a user.

There are two non-social-engineering ways to hack passwords for a particular account that target the website itself:

  1. Keep trying dictionary attacks through the actual login UI. This is trivially defeated by suspending login attempts for a few hours after 3 to 5 failures in a row.

  2. Hack the website and obtain the password file, hopefully in clear (if the site is really stupid) or unsalted (if merely incompetent). To do this, the attacker must more or less have taken over the website already, unless some collaborator in IT made a copy of the file, in which case the site is also screwed.

Other methods like trojans that run keyloggers are the user’s problem, not the website’s anyway.

So assuming your website security wasn’t set up by absolute imbeciles, it seems to me there’s no need for fancy measures. This is after all why the major failures make the news; most sites are secure enough for most purposes without having to invent new features to annoy their users.

#8

Uploaded with ImageShack.us

#9

I get that all the time. One site thinks “Password123” is weak and another thinks it is super secure.

#10

It’s usually that their rule wants a punctuation mark. Password+123 would be strong even if Password123 is weak.

#11

Got a reply from them today.

Thank you for contacting PayPal regarding to copy and paste your
password.

For security reason you have to always remember your password
and never save on your PC. For this reason you cannot copy and paste
your password in our system.

Your password not only protects your bank account details and credit
card number, but all other personal data in your PayPal account. A well
thought out password helps protect you from fraud.

#12

Wow, great reasoning there.

We not only know what’s right for our users, but we will enforce their correct behavior.

Except of course that they’re wrong; their measure enforces nothing to boot, but merely annoys the user.

#13

Try out LastPass (https://lastpass.com/). It has no problem autofilling my Paypal password.

#14

1Password works as well … hopefully they won’t be able to plug that up.

#15

Yeah, dunno why but LastPass has been just fine for logging into PayPal and updating my password.

#16

Actually, I’d not be surprised if it was a requirement of their banking licence.

#17

That password strength popup… o_O

Do people actually use their name or email address as passwords?

#18

Why do you think tech support hate users? It’s not for their “intelligence”.

#19

Well, the problem isn’t remembering my current password and entering it, Cut-and-paste works there…

But when you make a new password you are prevented from cut-and-paste’ing it…

And if you want to make your new password complex enough it is tricky to type it correctly when all you see are “*” as you enter keys.


It is even more awesome that you are allowed to PASTE your existing password when you login, AND when you enter it again upon password change, but you are NOT allowed to paste in a new password…

Edit: Figured I should block the offending javascript code but didn’t find a plugin for that for chrome, so I fired up Opera and it allowed me to paste a new password – even though the web site warned me that I was not allowed to paste a password.

#20

Well, the problem isn’t remembering my current password and entering it, Cut-and-paste works there…

But when you make a new password you are prevented from cut-and-paste’ing it…[/QUOTE]

LastPass will autofill newly generated passwords on the Change Password page as well.