copy&paste of passwords forbidden
****Yesterday, I tried to change my password at eBay.
Doing that I learned that pasting the old password copied from 1Password's Safari extension did not work. Pasting the new password (twice) did not work either.
The eBay staff told me that pasting passwords is forbidden at the eBay site because of security reasons.
I always thought that typing passwords was less secure than copy&paste.
What is right?
If copy&paste was insecure, what mechanisms does 1Password use to fill passwords into web forms?
If you use others, why are your mechanisms more secure than both typing and copy&paste?
Best regards,
cherokee
1Password Version: 6.3.5 Mac App Store
Extension Version: 4.6.1
OS Version: OS X 10.10.5
Sync Type: iCloud
Comments
-
PayPal is simply being ignoramuses here. Disallowing paste into password fields decreases security precisely because you then urge people to have weak passwords. It's quite amazing that a big company like PayPal would do this.
Security expert Troy Hunt has a good blog post about this issue: https://troyhunt.com/the-cobra-effect-that-is-disabling/
0 -
I think it's likely a case of conflating a couple of separate issues. It's certainly insecure in many cases where people are copying and pasting passwords, because they're doing so from a text file or spreadsheet, in the clear on their computer. I don't think we're to the point yet where a majority of internet users (or eBay's, in particular) are using a password manager to store login credentials securely. So I'll give them the benefit of the doubt and assume that they're trying to design for a typical user. There are also certainly risks with copying and pasting if your machine is compromised, but at that point all bets are off anyway.
However, that doesn't change the fact that if someone is copying and pasting passwords as part of a security strategy — for example, using 1Password to securely store long, strong, unique passwords for each site — then these sorts of policies do in fact weaken security by making it more difficult for the user to do the right thing. Definitely problematic on a number of levels.
That said, while 1Password is focused primarily on login filling, if you have a login item saved for a website, generally you can also use 1Password to fill on password change forms as well. Just be sure to hold down the Option key to prevent Autosubmit (if it is enabled), so you have a chance to enter other information on the page. 1Password can often fill programmatically even in cases where pasting is not possible, and that includes filling a new generated password. And any time you run into an issue, be sure to let us know so we can continue to improve 1Password for everyone. Cheers! :)
0 -
I seem to be running into the same problem at more websites. For example, Fidelity no longer accepts pasted passwords, and their support team acknowledged that users are complaining that it is forcing them to use shorter passwords that are easier to remember and type. My rep agreed to pass on a note that I am worried that one of the sites that I most want to be secure is actually now my most vulnerable.
I would really like to see some active and effective lobbying by the agilebits team to change these well-intentioned but harmful policies. It makes 1PW less useful, and its users less secure. If site security strategists want to help, they should encourage (or, better yet, incentivize) the use of reliable password managers like 1PW.0 -
To be fair, that doesn't necessarily result in vulnerability...but you're right that it can certainly disincentivize people from using good security practices. :(
Unfortunately the only place we really have influence is with security conscious folks like you who are probably already using 1Password anyway. Occasionally we'll hear from a web developer who loves 1Password as much as we do, and we're always happy to discuss ways of designing compatible websites, which helps not only password managers but also folks dependent on accessibility.
Ultimately the best incentive for change tends to be economic. So while we're not able to throw money at millions of web developers out there to "persuade" them to not stand in the way of their users' security, it's good business strategy to make it easier for their customers to be more secure. Of course secure customers incur lower support costs, and happy customers tend to stick around. Never hurts to use both the carrot and the stick. ;)
0 -
There exist Apps like "ForcePaste". Can you imagine to adopt its function into 1Password?
0 -
It's certainly something we can consider for the future. Thanks for the suggestion! :)
0
