It’s 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it’s recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don’t have to memorize anything or know a single digit/character!

I have to use the Don’t Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.

There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying “password paste-in” as antiquated/bad advice:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets

Edit: I discovered that for Firefox users there’s a simpler way than exposing your secrets to someone’s third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.

Edit 2: As some have pointed out, that config value interferes with regular functionality on some sites. Probably best to leave it alone unless you know what you’re doing.

  • Pechente@feddit.de
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    This one always surprises me. Who the fuck is not hashing passwords? What else is wrong with this site if such basic concepts are ignored?

    • Pika@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      or sometime they do hash the password but they are just ignorant of how it works so they keep the limit regardless

    • Caaaaarrrrlll@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      There’s a website that an apartment I stayed at used for registering vehicle license plates. They have a towing company come around at night and tow anyone not registered on the website. The website emails me my password in plaintext when I go to reset it. I’ve complained to the apartment manager and the website’s contact points, but gotten nowhere, they still have this behavior today. It’s ridiculously stupid and ignorant.

    • argv_minus_one@beehaw.org
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      If you use a proper password hash function, and some joker submits a million-character password, you’ve got a denial-of-service attack.

      The limit doesn’t have to be 12 characters, but there does need to be a limit.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Why would that be a DOS? The hash of something is always the same length. Might only take a bit more time to compute, but a million characters isn’t that much with modern hardware. If anything, the risk of collisions would be higher.

        • foo@withachanceof.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Hashing is typically done server-side. So you need to transmit the password to the server and you can’t have a truly unlimited data limit. Pretty much every web server will reject requests over some size so while it’s entirely reasonable to support something like a 1,000 char password if you really wanted to, having it be truly unlimited with something using a 10 million character password is a security/operational risk in itself.