And why prevent paste? Just ran into this recently on paypal when I wanted to change my password. I generated one in passpack and tried to paste it in, no can do. Ridiculous.
Apple does this, too. Not just on password change forms, but on login forms. Drives me nuts, as I use a password manager and my passwords are 24 characters of garbage.
Edit: Apparently I can't reply to the next comment, but keepassx also has the feature that passwords are cleared from the clipboard after 30 seconds.
I ran into this same problem. Had to use the Chrome Web Inspector to get around it. I believe it's a part of PCI compliance, but plenty of sites accept credit cards without that nonsense so I'm not sure. GetGamesGo.com does the same thing.
Please, in the future, whenever talking about PCI compliance, cite chapter and verse. There's more than enough wild speculation running around about it, all sorts of myths are repeated and propagated.
I asked a GetGamesGo employee about the pasting issue and that is what he told me. Let me get the full quote:
"Cut/paste passwords – that’s a stipulation of PCI compliance. We could scrap it, but they ask for it. We have to be PCI compliant on card processing."
I provided as much information as I had available, I do not know the chapter/verse. Apologies if I spread any misinformation, I took this rep at his word.
I have spent a fair bit of time reading the PCI standards and I have never seen such a requirement. I suppose it is possible that some sort of independent auditor is making that call but it isn't in the standard anywhere I can see. (Auditors seem to have a huge amount of discretion here.)
In situations where you have a textfield "enter password" and another textfield "re-enter password", it would probably make sense to prevent pasting into the second field iff you didn't paste into the first field.
Better yet, if you pasted it into the first field, the second field should become disabled.
This is because usually password fields are not in clear-text but display stars for letters, so you don't know if you accidentally mistyped the password. But if you pasted it in in the first field already, there's no reason you should have to paste it a second time.
I've changed password on one of my emails, typed it wrong in one input line, so I've ctrl+C and ctrl+V it from one input to the another. Stil didn't work, so I copied it the other way (I wasn't really thinking, then :)).
It worked, but I couldn't log in to that email for a few days, until I understood, that I've changed my password to
I guess this is software's version of security theater. Make the users feel like the website is secure because there is a javascript running on the login screen to prevent you from pasting, never mind that you can probably not use pass phrases or spaces because the backend was built in 1995. :)
To say nothing about right click - paste... unless they're doing the 1999 thing and blocking right click too (and if they are, hopefully it's with a 1999-tastic alert("Right click not allowed!");).
I would like to write some company that does this and say "control V doesn't work but I can paste the password in using the following methods.... this is a problem because it keeps me from using proper security for passwords on my clipboard. Can you please fix? PS Can I follow up with your PCI auditor directly?"
Their entire site is a really bad example of ASP.NET development. As someone who knows the technology well, it can make great sites. It just rarely does.
I like my T Mobile service but there's something odd with their backend systems and/or customer service. I logged in to disable their "WebGuard" service that seemed to be blocking pages at random. It required address and social security verification, but I couldn't get it to verify my details.
I called, and the customer service agent hopefully told me that my address didn't exist. I live in the middle of New York, and I've never had this issue before. I can't help but wonder what crazy verification system they're using.
Having worked with telcos previously (both OSS/BSS but not TMobile specifically), I can say that I'm not surprised at all.
In fact, I'm pretty amazed that things even work at all. The amount of random connectors and systems is mind boggling.
Some examples: A Tandem system used for nothing BUT ftp from telco switches for call details. Multiple enterprise message buses. Systems with only object files and no source. The list goes on...
Regarding your WebGuard issue, I actually had the same problem (they started blocking imgur!). For me, the actual issue was that the opt-out process does not work for prepaid accounts, but no one at T-Mobile call center knows that. I had to go into a store and show them my ID.
SO is built with MVC, which encourages good development practices. T-Mobile looks to be using Web Forms. I'm sure there are good sites out there that use Web Forms, although as a .NET developer, I've found a that Web Forms encourages practices that I consider bad.
I agree. But I hate the crappy abstraction that is Web Forms. It throws so much garbage on top of the HTTP request-response cycle, and so many developers are content to remain ignorant of what's going on underneath or how the Web actually works.
Try using special characters - It will just omit some special characters and save the password with that character omitted. And yes, T-mobile sent back my password in clear-text, and that's how i know.
I learned this too recently when my password, which starts with a special character, suddenly was being rejected.
Turns out they use a Javascript validator on passwords, not only at creation, but also when you're logging in (beats me as to why). I found a page on their site that doesn't do the check and I can login fine there.
Storing the password in plain text is absolutely inexcusable. I'm an idiot and my passwords are stored PBKDF2/SHA512 - not like it's difficult.
I hate when people disable pasting in password fields. Some of my passwords are 50 character random strings stored in 1password and sometimes I need to copy/paste and can not do it (ahem, icloud). I usually end up disabling javascript if the page still renders without javascript.
Assuming you're on Linux, you can just pipe the input into "xargs xdotool type". Thanks to the keyboard abstraction in X, no program will ever be able to tell that you didn't just type that on a keyboard.
(Though I'm not defending the X keyboard API. Linux input is a nightmare. I especially like the hard-coded list of keys in the kernel, limiting the number of unique keys that any userspace application can address, even though it's perfectly possible to plug in 128 keyboards each with several hundred keys.)
T-Mobile also capitalized my password on me, once. It was fine for a couple years and then one day it stopped working. I got the site to text it to me (why do they even have it in plain text?) and all the letters had been capitalized somehow. (Previously was mixed-case.)
I wonder if it's a bad idea to disclaim that you store passwords in plain text (when you actually use PBKDF2 or something) to trick users into making more secure passwords.
I like to end my passwords with non-alphas like "!" Neither tmobile or at&t let me do this for whatever reason. Its incredible how telcos get away with everything from high pricing to shit web code. These are the mistakes of self-taught amateurs, not professionals.
It makes sense to paste your password when logging into an account, but from what I read this is just on the password reset. They probably want people to actually type their new password twice instead of typing it once and then copy/pasting for the second field.
It's not insane, but it does increase the burden on those of us who use password generators. There is NO excuse for the sloppiness of the implementation, however.
if you don't have something like mobile keepass(or you don't have a current password file, i don't think keepass for android can add passwords)
or the app prevents you from pasting the password, entering a long complicated password can be difficult. Pasting helps improve the likelyhood of long complicated passwords.
This might be a good place to complain about -ed out passwords on mobile phones. It makes it next to impossible to enter a password(yes the last letter not -ed out for a few seconds only helps a tiny bit). If I'm not copy-pasting from keepass I'm entering the password in the login field then cut/paste it.
I think having the last letter visible for a very short time is a good balance. I certainly do not want the password to be visible in clear text. Shoulder surfing is an even bigger issue for mobile devices like phones or tablets -- which you routinely use in public and around strangers -- than it is for laptops or desktops.
I'm not surprised. I got the expiry date of my credit card wrong. It stores it and will not let you change overwrite or delete it. In the end I just had to top up offline till I could move carrier.
Funny enough, elsewhere in their code, they do explicitly check for Ctrl & V/C.