It’s 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it’s recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don’t have to memorize anything or know a single digit/character!
I have to use the Don’t Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.
There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying “password paste-in” as antiquated/bad advice:
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets
Edit: I discovered that for Firefox users there’s a simpler way than exposing your secrets to someone’s third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.
Edit 2: As some have pointed out, that config value interferes with regular functionality on some sites. Probably best to leave it alone unless you know what you’re doing.
Just adding that financial institutions are very hesitant to adopt new technology, and therefore tend to abide by what tech enthusiasts would consider antiquated best practices.
Source: Software engineer in Fintech
Yup, that behavior is notorious with financial institutions. Using old and archaic programming languages and systems that they are too afraid to touch because they don’t know how to rebuild it if it crashes. What I do is use passphrases for cases like that, so I can easily type them myself as a last resort. I just check my password manager quickly and then manually enter the password.
Whats that? I cant hear you.
Can you say it again, but in COBOL?
Sure, but the NIST documents referenced in the post are admissible in court. With some creative thinking you can probably help a criminal break your weak password and then put the liability on them because if their webform was correct yoy would have pasted a strong password from your manager.
Only, last month Treasury Diirect finally removed the virtual keyboard as the only means of password entry 🙃
I don’t believe their passwords are case sensitive yet.
Can confirm. Source: cyber security analyst in fintech
Well, because it works “well enough” right now. Changing it is a monumental effort because they’re such slow ass big stupid companies anymore.
And when they fuck it up, and they will, no one wants to be the reason for it so it never happens