
Let them paste passwords (2017) - notRobot
https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords
======
jiggawatts
Making password entry difficult is like attempting weight loss by eating bland
food.

It's not the flavour that makes you fat.

Nonetheless, there's this _perception_ that something delicious can't be good
for a diet. People have this notion that to lose weight, there must be
_penance_. An element of punishing oneself for past transgressions seems
_essential_.

Security people have the same mindset. Security must be a hassle. It must be
in your face. It has to be _onerous_. A _challenge_. A hurdle to _get past_.

I've tried, over and over, to explain to my customers that often the slickest,
most hassle-free approach is the most secure. But this almost never sells.

Meanwhile, I see vendor after vendor successfully selling products that exist
only to irritate users.

~~~
tialaramex
There was a recent discussion on HN that branches into this idea about the
importance of UX. I agree with you, with a twist.

What you want is that the happy path for security is zero hassle, but the
unhappy paths should also drop dead with zero hassle.

This is the UX I really like for WebAuthn / U2F.

All the interactions on the happy path are very smooth. Need a second factor,
tap, go. Almost frictionless. On my phone for example you tap the same
fingerprint sensor that would ordinarily unlock the phone. Short of not having
a second factor at all it couldn't be smoother.

But if this is actually a phishing site or you're a crook who doesn't have the
hardware token, it just doesn't work. Still low friction in a sense, but low
friction failure. There is no way forward, no override, no "I'm sure", nothing
- it just won't work.

~~~
nine_k
Another unhappy path is very difficult.

Your phone got stolen or smashed. Your 2FA is just not available. Welcome to
the sea of hassle proving your identity.

But a little bit of hassle beforehand, in the form of printing one-time codes
and storing them even in your wallet would help dramatically.

~~~
davchana
Keep the 2fa code sequences safe in a separate keepass or any password
database; & you can move 2fa anytime. Even Google updated its Auth app to
export all keys.

~~~
LadyCailin
Wait, when? For iPhone? I just checked and don’t see it.

~~~
davchana
Oh Sorry, I should had been clear; I use Android.

------
godot
On this point:

> write passwords down in places that are easy to find (like post-it notes
> next to the screen)

Writing passwords on post-it notes is often used as a ridicule of non-tech-
savvy folks behavior. I'd like to pose this question: If you're doing this not
at an office, but at home, is this really so bad?

Say you run a web site on AWS and write your really long AWS password on a
piece of paper at home. It would take a hacker finding out where you live and
breaking into your house to find the piece of paper to access it. On the other
hand, your ordinary neighborhood burglars typically care about cash and
jewelry in your house, not post-it notes with passwords. It seems those two
categories of intruders rarely overlap, unless you're a world famous target.

~~~
Gibbon1
One solution is to use an easy to remember prefix with your passwords and only
write down the secure part.

Password is mayfly-DyHpE82sd3r3rvr!2sDQ

Part you write down is DyHpE82sd3r3rvr!2sDQ

~~~
namdnay
I used to write down numerical passwords interspersed number by number with a
friends telephone number. Not exactly military grade security but enough to
make it non obvious to someone looking through

------
skrebbel
I just wanna highlight how nice it is to see a government agency write such a
clear, friendly, jargonless, blog-post-style piece of advisory.

I hope this is a peek into the future of government communication everywhere.

~~~
lukeramsden
For whatever weird reason, despite having completely incompetent governments
since the appearance of the internet, our country has world-class digital
services. The gov.uk design system[0] is a very good read, especially for
people who aren't experienced in UX design.

[0] [https://design-system.service.gov.uk/](https://design-
system.service.gov.uk/)

~~~
tonyedgecombe
A lot of the credit goes to Francis Maude[1], the only MP I've heard talk
sensibly about software projects and development practices.

[1]
[https://en.wikipedia.org/wiki/Francis_Maude](https://en.wikipedia.org/wiki/Francis_Maude)

------
canistel
Being a Firefox user, I have set dom.event.contextmenu.enabled and
dom.event.clipboardevents.enabled set to false, so that I can continue right-
clicking and pasting.

~~~
CivBase
Is there a way to quickly toggle those on and off?

~~~
gear54rus
Why do you need to toggle them? Isn't pasting and right clicking useful
everywhere?

~~~
function_seven
Some SPAs and other sites have useful right click actions that I want to
preserve. Does this setting disable those?

(For the pasting, I agree with you. I can't think of a single reason I'd want
a website to prevent me from pasting)

~~~
canistel
You do not end up losing those. Both the popup menus - the site's as well as
the browser's - are shown, the latter on top of the former. Press Esc to make
your browser's vanish, and you still have the site's available.

~~~
function_seven
Thanks. I just toggled both of those settings.

------
api
So much of main line security practice is cargo cultism. There is so little
use of actual research and data on how compromises actually happen. Somebody
just gets the idea something is good for security and it sticks. No rationale
needed.

~~~
dangus
Related to this, every security team I’ve ever interacted with barely knows
how to work a computer and mostly operates off of commercially purchased
scanning tools and security agents.

My theory is that security is the least desirable part of the entire software
engineering stack - it’s boring, has a lot of blame and liability potential,
and it’s a cost center. Heck at least infrastructure folks get to brag about
things like cost optimizations.

As a result it seems to me that security attracts the kind of people who view
it as a way to wear a digital uniform and badge.

~~~
sl1ck731
I recently started a CISSP course and discovered this. I was so excited to
finally be getting into security and the next thing I know I'm 3 hours into
recordings about pointless jargon and control taxonomies. I know there is a
place for the latter at least, but it isn't something I want to do everyday.

~~~
SCHiM
Pivot to OSCP instead.

CISSP will have you learn the required strength of a light bulb to light the
alley behind the office. OSCP will introduce you to overflowing a buffer and
pwning a remote service...

I know which one I find preferable to learn :)

------
floatingsmoke
Also let them fill their credentials in a single form. Two-step login makes
password managers experience terrible.

~~~
jondwillis
I have noticed many implementations appear to be able to capture the password
and have it auto-filled, or maybe my password managers are somehow able to
handle them. I’m not against it when it works like that, as there are
sometimes valid reasons for the design.

------
philsnow
Instead of resorting to a browser extension[0], consider solving this with
something like autohotkey, alfred, hammerspoon, etc.

This is my hammerspoon config that lets me do this, it's like 7 lines but
could just as easily be 1 line:
[https://gist.github.com/philsnow/48ae8a31f7e063b23d4013470f0...](https://gist.github.com/philsnow/48ae8a31f7e063b23d4013470f071783)

Benefit: works across all browsers, even daffy embedded (electron) ones where
it's inconvenient to install extensions.

[0] every browser extension you install that has a broad permissions manifest
is a liability; when they get popular, the authors start receiving offers of
money from sketchy people in exchange for adding 'extra' bits of JS

------
dang
Discussed quite a bit at the time:
[https://news.ycombinator.com/item?id=14366825](https://news.ycombinator.com/item?id=14366825)

------
mrtnmcc
Seems a plausible concern that malware on the PC can access the clipboard, so
they discourage copying their password into clipboard. But intercepting
keystrokes to another program (at least in Windows) doesn't require any
special permissions either. Would the concern more be background web tabs
(cross-site) accessing the global clipboard? Vaguely recall that was possible
a long time ago but likely locked down now.

~~~
geofft
As the article points out, for malicious sites that was true on IE 6 but no
longer, and for malicious local software you have bigger problems.

~~~
mrtnmcc
Thanks, didn't notice the popouts in the page. That's right.. IE6 was the
menace.

------
spicyramen
One of the most useful changes to usability is displaying your password...when
using mobile is a great advantage. Pasting can be useful in the mobile case as
well. As sometimes typing in cellphones is not the easiest thing to do

------
tony-allan
My simple response. Stop using websites and apps that prevent pasting because
it implies that the website or app has no idea how to secure their website or
app properly.

~~~
callalex
The web is unfortunately too ubiquitous for this approach. If I get hired by
someone, I have to use the website they chose for pay stubs, or health
insurance descriptions, or direct deposit configuration, or stock option
distribution, or many other life-essential services that an individual has
absolutely no control of. Sure I can complain to HR, but it will fall on deaf
ears that were sold by a shitty SaaS pitch that made some loser’s life mildly
easier in return for a subscription payment.

And that’s not even touching all of the government websites that behave in
this way.

------
gorgoiler
Ahhh, guess the age of the graffiti. Far more likely, these days:

    
    
      const q = document.querySelector;
      q(‘#password’).onpaste = e => e.preventDefault();

------
wltprgm
My piece of advie: Don't take your brain memory for granted

In this era of information technology everyone is bombarded with tons of data
that they don't know how to think and memorize

Thinking and memorizing can strengthen your brain muscles but people hate
exercising their bodies and their brains

I do use keepass for managing different passwords, but I kind of memorize most
of them, only open keepass for storing them in case I ever forget

~~~
iso1631
How on earth could I remember random complex passwords I use once a year?

I can memorise af58f916cc0cb22193c18f02d3c1cc3e easily, but once you work out
(perhaps a keylogger) why that's my paypal password, my google password of
68b31385067f73977c6007cefcddbe74 falls quickly

~~~
searchableguy
I think that's a bit of a stretch. You can use rememberable long phrases.

Back in 2012, my facebook password was
_idontunderstandthepointofonlinefriends2011_. I don't think it's easy to
forget something like that.

~~~
iso1631
The quoted passwords are md5 sums of _paypalformyusername_ and
_googleformyusername_

Easy to remember, and you'd have to be very determined to get the link between
them even if both were compromised, but if the plain text version was
compromised then it would compromise the entire system

That's the most secure system I can think of which doesn't involve remembering
thousands of complex random passwords. Sure I can remember
"correcthorsebatterystaple", but can I remember which 4 words for which
specific site?

------
based2
[https://askubuntu.com/questions/287444/how-to-clean-the-
clip...](https://askubuntu.com/questions/287444/how-to-clean-the-clipboard)

[https://forums.linuxmint.com/viewtopic.php?t=286096](https://forums.linuxmint.com/viewtopic.php?t=286096)

[https://stackoverflow.com/questions/60937438/how-to-clear-
th...](https://stackoverflow.com/questions/60937438/how-to-clear-the-
clipboard-in-debian-buster-via-terminal)

[https://stackoverflow.com/questions/48490382/how-to-clear-
bo...](https://stackoverflow.com/questions/48490382/how-to-clear-both-
clipboards-securely-in-gnome-from-python)

------
ddevault
If I had my way, we'd remove all event listeners from <input> and <textarea>
and <select> entirely.

~~~
clarry
If I had my way, there'd be no scripts on the web.

------
zamalek
Some password manager browser extensions circumvent password paste prevention,
so that's worth looking into.

~~~
jimmaswell
I've resorted to autohotkey keyboard shortcuts to simulate typing in
credentials at times.

When I had to log into this one vpn for work I even used to have it open the
2fa app, click the button to copy the code, open the vpn app, enter all the
fields, and log in all from one keyboard shortcut.

~~~
Gibbon1
I've long thought you should be able to use a hot key + insecure password to
generate a strong time limited password. Insecure password could be just the
website domain name for all it matters.

You can have the keyboard handle everything

------
RyanShook
What password manager do you use? Have been using Avast PW Manager but appears
to no longer be maintained.

~~~
ChrisSD
KeePassXC, LastPass, Bitwarden and 1Password are the major ones.

~~~
6c696e7578
KeePassXC is my current favourite. Some of the keyboard shortcuts don't seem
the same as KeePass though. Nice piece of software though.

------
gitgud
Is that first image real? I don't think I've ever seen JavaScript graffiti
before...

~~~
hanche
Highly unlikely, I think. The letters are too crisp. And the way the text
follows the corners, while cleverly done, don’t reflect the way real graffiti
would be done.

------
mmcnl
I've never encountered a website that prevented me from pasting a password. Is
this truly a thing?

~~~
viraptor
[https://www.ing.com.au/securebanking/](https://www.ing.com.au/securebanking/)
for example.

They even scramble the keypad and vary the last 2 bits of the colour, so you
need to do an approximate match on the buttons. Still takes maybe 40 lines of
python to automate the login.

