cancel
Showing results for 
Search instead for 
Did you mean: 

Password Manager

matthews
Rising Star
Posts: 145
Thanks: 8
Fixes: 1
Registered: ‎13-08-2014

Password Manager

Please could someone remove the following code from the change password page please? You're preventing those of us that don't like re-using passwords being able to take advantage of password managers

            $(function () {
                $("input[type='password']").on('copy paste cut', function (e) {
                    e.preventDefault();
                })
            });

Some light reading on the subject

25 REPLIES 25
matthews
Rising Star
Posts: 145
Thanks: 8
Fixes: 1
Registered: ‎13-08-2014

Re: Password Manager

Also, could you make it a bit clearer that & (ampersands) are not allowed characters in the password. Putting a red box around the password field when I've met all of the criteria listed above it is not very helpful. Not off to a great start I'm afraid.

Anonymous
Not applicable

Re: Password Manager

That code is there to prevent the copy and pasting of errors. If you fat finger the password then copy and paste it you'll be left locked out and scratching your head as to why you can't get in. So I wouldn't hold your breath on it being removed; unless you look good in shades of blue that is.

matthews
Rising Star
Posts: 145
Thanks: 8
Fixes: 1
Registered: ‎13-08-2014

Re: Password Manager

I'm afraid it isn't. Browsers haven't let you copy _from_ a password field in years. The only way you could fat finger it is if you'd made a mistake while typing it somewhere you could see (eg Notepad) and copied it from there. Granted that could still happen, but that's not a reason to destroy best practices for the rest of us

Anonymous
Not applicable

Re: Password Manager

I never said anything about copying from a password field.

jaread83
Community Gaffer
Community Gaffer
Posts: 3,438
Thanks: 2,336
Fixes: 81
Registered: ‎22-02-2016

Re: Password Manager

I didn't work on the mobile site but I imagine this is to stop someone from simply copy/pasting to change the password as it requires manual input into the password and password confirmation inputs?

I guess the main issue here is that you are using a password manager to generate a random password and the the code is preventing that?

Frontend Web Developer | www.plus.net

If you have an idea to improve the community, create a new topic on our Community Feedback board to start a discussion about your idea.

matthews
Rising Star
Posts: 145
Thanks: 8
Fixes: 1
Registered: ‎13-08-2014

Re: Password Manager

@Anonymous: True, that was my assumption and I apologise. I was working on the principle that the effort required to open up a new window to type in a password to then paste it twice into a form would probably be equal to or greater than just typing in the password twice so didn't think that was what you were suggesting.

It just seems a strange place to draw the line though as far as security is concerned. Why don't we go one step further and make it so that people can't choose their password and it's just their birthday instead, then no one will forget them at all! It may sound like a ridiculous point but it's basically choosing somewhere on the line between security and convenience, and in my opinion (as well as a lot of security professionals out there) this is slightly too far down that line.

@jaread83: Yes, basically. This restriction doesn't exist on the login page thankfully, so I can use the password manager fine there. I don't actually expect anyone to listen to the first post, as security doesn't seem to get much love at Plusnet (Passwords, more passwordsEmail security) but the main piece of frustration for me was that I had to type the (secure and lengthy) password in by hand numerous times with it just giving me a red box around it (with me naturally assuming that I'd fat fingered the password while typing it in twice every time) before realising that the ampersand was not an accepted character.

Anonymous
Not applicable

Re: Password Manager

@matthews - Well I guess that would be down to how lazy the user was, some might see opening an editor, entering their password then copy and pasting it easier than doing it manually as it at least ensures that both are identical (even if wrong) when it needs to be entered twice.

I’m not a mobile user but I understand your frustration as regards the lack of support for C’n’P. I use 1Password on the Mac and it’s worth it’s weight in gold as trying to remember the generated password is a nightmare.

@jaread83 - Do you think you could get those responsible for this site to remove this restriction?

jaread83
Community Gaffer
Community Gaffer
Posts: 3,438
Thanks: 2,336
Fixes: 81
Registered: ‎22-02-2016

Re: Password Manager

Having the ampersand as an illegal character for password should definately be given some attention, that much I am sure about. I will raise an internal ticket about that and it should get passed to the relevant team.

As for the password copy/paste js.. I have done a bit of searching around and it seems to be a universally hated 'security standard' and there doesn't seem to be any kind of guidance on where it started and who first implemented it. Out of everything I read, this is one of the more reasonable arguments for using it that I found:

Ignoring the Security concerns, keeping in mind that the password text is not visible (just asterisks/dots), a couple major UX reasons I can think of are:

  • Depending from where you are copying the password and where you are pasting it, you might end up with messed up clipboard entries (changing text from utf-8, html, richtext, docx, etc or something else).

  • Another common mistake will be copying empty spaces.

The outcome:

  • Frustrated user who cannot understand why his seemingly correct password is not working.
  • People thinking they were 'hacked' and their passwords changed.
  • In situations where only limited attempts are allowed, this can result in the account being locked.

So I am not entirely sure what to do with that, I am sure that the devs had their reasons for including this, maybe part of a security audit or it was requested by someone higher up in the development team... I can't say for sure.

I will ask a few of our security devs about this, maybe we can get this removed but I can't promise anything at this moment as I may get vitoed on it.

Frontend Web Developer | www.plus.net

If you have an idea to improve the community, create a new topic on our Community Feedback board to start a discussion about your idea.

jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Password Manager

I very rarely type passwords either when creating them or logging in as I use a password manager. When creating a password I adopt the following procedure:

  1. Generate the new password using KeePass and make it temporarily viewable in there
  2. Copy paste/paste the password to the website's first box.
  3. Save the new password in KeePass and save the KeePass file.
  4. Use the double click on the password in KeePass to copy the password to the clipboard (KeePass automatically removes it from the clipboard after 15 seconds)
  5. Paste it in to the second password box on the website.

As typical passwords I use look like these:

QNqvFkg8A@RFevy@mwxY
/6,^P7LT?#0_l!XGVe|0
WCu^gyuvUb0Wx;b;'CV:

 there is no way I am going to try keying something like that twice when setting the password. Plus to be able to key them I have to resize the browser and KeePass windows so I can see both at the same time.

Websites that block copy/paste make me use simpler passwords that I am more likely to be able to key correctly twice. And if the website stops KeePass being used to enter the password when logging in that guarantees I will use a shorter easier to key (and hence less secure) password.

Plusnet: is it your intention to push those of us that take setting secure passwords seriously in to using less secure passwords on your site?

jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Password Manager

@jaread83

How about a tick box "I am using a password manager" that enables the copy paste?

People who don't understand the question are likely to leave it unticked, those that do will understand will tick it.

And it might encourage some that don't understand to find out what it is about and start using one which can only be a good thing!

jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Mav
Moderator
Moderator
Posts: 22,369
Thanks: 4,725
Fixes: 514
Registered: ‎06-04-2007

Re: Password Manager

I create my own secure passwords always with a mixture of upper/lower case, numbers and special characters. I take security seriously but would rather rely on my own memory than use a password manager but that is just a personal choice.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Password Manager

Are your passwords like words with characters replaced with numbers and special characters so you can remember them, or are they totally random like the samples I posted?

jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Mav
Moderator
Moderator
Posts: 22,369
Thanks: 4,725
Fixes: 514
Registered: ‎06-04-2007

Re: Password Manager

They are usually based on words in SWMBO's native language. Except for some basic forum access going back years where none of my real details are held anyway.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

matthews
Rising Star
Posts: 145
Thanks: 8
Fixes: 1
Registered: ‎13-08-2014

Re: Password Manager

Had to look up SWMBO. Like it Smiley