
We'd lose our security certificate if we allowed pasting - mofle
https://twitter.com/BritishGasHelp/status/463619139220021248
======
fdej
They probably hired the same security consultant as my bank, which requires
your online password to be exactly six characters long. My hypothesis is that
this is a technical limitation due to the password being stored as a char(6)
in their database.

~~~
a_bonobo
Same goes for Virgin Mobile (at least here in Australia), which ALSO requires
you to only use numbers. Last week they forced me to change my password due to
an "important change" \- ascending or descending numbers were not allowed
anymore. I guess they had a look at their plain text password database and
realized that 99% of their users used 123456.

Edit: Australia seems to be using the US system:
[http://www.bitdefender.com/security/hacking-virgin-mobile-
us...](http://www.bitdefender.com/security/hacking-virgin-mobile-user-
accounts-too-easy-dev-says-due-to-six-digit-passwords-number-only-pins.html)

~~~
freditup
I have Virgin Mobile in the US (it's one of the cheapest options with good
quality phones), and it seems the same. It made me set a 6-digit PIN as my
password, and my phone number is my username. Here are the requirements listed
on their website:

Your Account PIN must be:

-6 numbers (no letters or special characters)

-no more than 3 identical numbers in a row (222)

-no more than 3 sequential numbers (such as 234)

If I did the math right, that's approximately 900,000 possible passwords,
which is obviously really low

~~~
kevinburke
Yeah, I wrote about this a few years ago and got a lot of press for it. They
didn't really fix it, but at least they started rate limiting by IP address.
[https://kev.inburke.com/kevin/open-season-on-virgin-
mobile-c...](https://kev.inburke.com/kevin/open-season-on-virgin-mobile-
customer-data/)

~~~
freditup
Is rate limiting by IP the best way to handle something like this (other than
the obvious, allowing better passwords)? You could obviously rate limit by
account, but then you make it easy for anyone to lock anyone else out of their
account. And obviously rate limiting by cookies as mentioned is awful.

~~~
kevinburke
There's no great way to "handle" something like this besides modifying the
protocol to be less vulnerable.

------
pjc50
Almost all big companies handle security on this kind of cargo-cult basis,
because it's easier than finding someone who understands security and letting
them overrule stupid ideas.

~~~
nraynaud
maybe this loud PR thing will go up to the people in charge and stuff could be
actually resolved at the root? Or maybe it will just be forbidden to tweet
about internal policies in the future for security reasons, NSA cover style.

~~~
higherpurpose
I was hoping the Target CEO firing/resignation due to security issues would
spark a little bit of security interest from other companies, too.

~~~
crazypyro
Target was bleeding money in Canada expansion. I doubt the data breach was the
only central issue.

------
DanBC
So, this is just someone on the BritishGas twitter account. We do not know if
that person is repeating accurately what they've been told or just making
stuff up.

Assuming they asked the correct people in BG website accounts security, and
those people said "it's to prevent brute force attacks" we do not know if
that's the real reason they do it or if it's just what they say to people who
ask.

What is really frustrating is that there is no possibility of getting this
changed - allow people to paste their passwords and use rate limiting to catch
brute forcing.

Having said that, some aspects of BG's computer system are horrific for
customers so I don't doubt that they do stupid things for stupid reasons.

~~~
mattstocum
Thank you! I get amazed every time the internet freaks out because XYZ Company
confirms "blah", when in reality, it's just a single service rep, who probably
just wants to get you off of the phone.

~~~
crazypyro
Its way worse with the advent of social media consultants/reps because their
stupid explanation gets saved for the entire world to see, even if its about a
section of a multi-billion dollar company they have no idea about. Low level
reps have never had such an impact on companies as they do on social media.

------
timdierks
The tweeter (probably a non-technical support person, so go gently on him or
her as an individual) has revised the statement:

"@passy I'm mistaken about the website security certificate but avoiding
pasting of passwords is good practice & protects our customers 1/2"
[https://twitter.com/BritishGasHelp/status/463679554306203648](https://twitter.com/BritishGasHelp/status/463679554306203648)

"@passy especially when using public computers. Alpha numerical policy ensures
your protection without making special characters necessary^S"
[https://twitter.com/BritishGasHelp/status/463681274092462080](https://twitter.com/BritishGasHelp/status/463681274092462080)

~~~
rwhitman
I did work for a very security-minded HR outsourcing company on an html site
to be used on a public kiosk and we also disabled paste via javascript for the
same reason - to prevent a user from being able to paste in a previous user's
password at the same terminal.

~~~
zaroth
Makes no sense at all... Where ELSE might I be able to paste the contents of
my clipboard?

Now, clearing the clipboard AFTER pasting, that might actually make sense!

------
mixedbit
Reminds me of a password security policy that listed few SQL statements that
can't be used in passwords.

~~~
tempodox
That was probably to prevent SQL injection, right?

~~~
Zikes
Properly implemented parameterized SQL would allow

    
    
        '; drop table users; --
    

As a password without batting an eye.

~~~
sp332
But since you can't guarantee that every programmer and contractor, including
future ones, write proper SQL, it's nice to reduce the attack surface a bit.

~~~
KMag
Reduce the attack surface by running the password through a proper modern Key
Derivation Function (KDF) such as Scrypt before passing it to the database,
not by running it through a few regexes.

------
DomBlack
It always concerns me when big companies like this do weird things when it
comes to passwords. Why do banks for instance have stupid password
requirements; max lengths, disallowing certain characters, etc.

Surely if they are hashing the passwords in any form then it doesn't matter
how long the password is or what characters it contains.

I understand perhaps the view is some people are not good at remembering
passwords and so would forget a complicated password - but they are unlikely
to use a long password or special characters if that's the case.

Or am I just missing something major here?

~~~
frou_dh
> ... stupid password requirements; max lengths ...

> ... if they are hashing the passwords in any form then it doesn't matter how
> long the password is ...

Max lengths aren't inherently stupid. Presumably no one thinks 250MB password
submissions should be handled, so you _will_ be picking some number (possibly
imposed on you by your stack).

~~~
lmm
If you're hashing it who cares if someone wants to submit a 250MB password?
They'll only be slowing their own session down - what I store in the database
is always 256 bits either way.

~~~
calpaterson
Because your app has to load it all into memory. Submitting many, very large
payloads is a well known denial-of-service attack

------
quchen
Before laughing at how stupid this is, remember that your debit card is
secured by a password that consists of exactly four decimal digits. I really
wonder when this is finally going to change, but I hear some futuristic banks
allow up to six digits already.

~~~
eximius
Mine is 10 digits. I thought the 4 digit limit was just a societal assumption?
(I'm being serious, I thought it was (near) universally allowed to be longer,
people just didn't bother.)

Is this not the case?

~~~
relix
Not common, and using anything other than 4 digits is not wise if you want
universal support especially when travelling - 6 digit cards are not 100%
compatible with every ATM/card machine because some (most?) only allow 4 code
entry. I've never heard of 10 digits and the compatibility must be even more
limited. Where do you live and what happens if you try to use your card at
ATM's abroad?

------
reboog711
To me this sounds like a crazy PCI Compliance related rule; and someone who
doesn't understand anything about the PCI Compliance process or brute force
hacking made the tweet.

When I ran a web-site with an e-commerce store that accepted credit cards; I
was required to have PCI Compliance scans done.

One of the things they had me do was turn off the autocomplete on the password
field with autocomplete="off". I have no idea how that makes things more
secure.

A lot of the things they made me do in order to be PCI compliant made no sense
to me. I think I spent a week trying to convince them that my "error" page
which showed up when someone mistyped a URL was not a security risk and was
not something I should remove.

~~~
droope
autocomplete=off does not prevent you from using keepass, it prevents your
browser from storing your password in your HD in plaintext.

It's arguable that it's not the website's decision where the user caches it's
passwords, but in high security environments I don't think it is an overkill.

~~~
TheRealWatson
I doubt the autocomplete browser feature applies to password entry. It would
freak people out if their browser started suggesting the password as you
typed. It does apply for the username/email field, though.

~~~
aaronem
For a password field, "autocomplete" doesn't mean to suggest candidate
completions, but rather to prefill with the password part of a previously
saved username-password pair, and to offer to save such a pair (or update an
existing one with a newly entered and different password) when the form is
submitted. Giving the field an "autocomplete" attribute with the value "off"
disables this behavior, which matters for PCI compliance because it forestalls
browsers from storing the password when they might do so insecurely.

------
tempodox
I would guess that the single greatest hole in computer / network security
comes from the terror regime of incompetently enforced “security”. Users WILL
get their revenge by undermining such measures any way they can in order to
re-establish some usability. Like the best camera is always the one you have
with you, the best security is the one your users will actually support, and
not feel forced to circumvent.

------
TeMPOraL
Call me a conspiracy nut but after reading all the accounts of banks and
companies ridiculously reducing keyspace in weird ways (give me a good legacy-
tech reason for [0]...) I'm starting to believe that they're doing it on
purpose.

[0] -
[https://news.ycombinator.com/item?id=7704235](https://news.ycombinator.com/item?id=7704235)

------
alexhektor
Papyal does this in some scenarios as well. For one of my accounts, I can't
paste the password from a password manager. Does no one here know why?

[http://ask.metafilter.com/221964/Why-does-PayPal-want-me-
to-...](http://ask.metafilter.com/221964/Why-does-PayPal-want-me-to-have-a-
crappy-password)

------
ahdkaw
My bank has a password-subset request form for logging in. This of course
means that passwords are not being hashed. Also, I can be positive that the
keystrokes used for the subset, are recorded and are visible to staff ("you
have the correct letters, just try turning off CapsLock" was one response I
got).

------
K0nserv
OSx does the same thing when entering passwords for private keys through the
keychain

------
troels
'Brute Force'? I do not think it means what he thinks it means.

------
venomsnake
If only there were malevolent hackers that could create I don't know automated
post (please let it be post!!!) requests . That would be brute forcing
nightmare.

It is good that there is no such thing possible.

------
jglazko
Thanks for sharing. Made a great start to my day. I just the callers don't
starting asking why we allow it!

