Get started with App.net.

  Sign up now  
dalton
    Apparently Paypal won't let users paste in a new password generated by a password manager... their policy is to use javascript validation to *force users to type in their password*. WTF? — photos.app.net/2806873/1
    There are 12 new posts
      [Post deleted]
      scottjal
        @jaison @dalton @1password well that right there sucks. Hope that doesn't catch on anywhere else.
        dalton
          @jaison @1password @scottjal unless I am missing something, this is unbelievably dumb on Paypal’s part. Has this been discussed somewhere in the security community before?
            [Post deleted]
            dalton
              @sethde I already closed that window, but I am sure it would just work.
                [Post deleted]
                dalton
                  @zero do these companies just not want people to use password managers? Do they really think they will be able to make up good passwords that they have to manually type in everywhere?
                    [Post deleted]
                    thomasbrand
                      @dalton @zero it doesn’t matter. Most banks only recognize the first eight characters anyway.
                        [Post deleted]
                        barmstrong
                          @dalton I wonder if Bruce Schneier has weighed in on this.
                          scottjal
                            @dalton @jaison @1password I don't even understand what it protects you against. That sort of thing only leads to less secure passwords.
                              [Post deleted]
                              dalton
                                @morgannels I had to in order to purchase something
                                  [Post deleted]
                                  lomifeh
                                    @dalton I hate that crap when I encounter it. I guess they don’t realize things like key loggers exist.
                                    pictor
                                      @dalton huh? I use a password manager all the time. If this is a change, I will abandon Paypal instantly. I can’t remember my password, and have no intention of manually typing it.
                                      dalton
                                        @pictor this seems to be the standard change password form...
                                        daytonlowell
                                          @dalton @zero Apple does it too on the developer portal(and maybe other places?). Super annoying.
                                          scottjal
                                            @nerd simple doesn't replace PayPal any more than any other bank with debit card.
                                            tofias
                                              @dalton I can only assume they'd rather us use "1Password" instead of @1password.
                                                [Post deleted]
                                                  [Post deleted]
                                                  jnm
                                                    @dalton I wonder if Amazon isn't doing something similar with their Android app. It makes me log back in periodically, and won't allow pasting of credentials. Sens like a step backward in terms of security.
                                                    1password
                                                      @dalton My desktop browser extensions and built-in mobile browser fill Logins *and* Generated Passwords directly. No copy. No paste. No problem. ;) /cc @scottjal @jaison @sethde @zero @thomasbrand @morgannels @barmstrong
                                                      scottjal
                                                        @nerd oh my, I didn't realize anyone used the PayPal card. Omega.
                                                          [Post deleted]
                                                          mrgan
                                                            @dalton Ugh, our bank also used this "security feature". For every good bit of JS validation, someone invents a monstrosity…
                                                            scottjal
                                                              @jnm the amazon app on Android does that to you? Version 2.2.5 doesn't seem to be doing that to me and appears to be up to date.
                                                              ryancummins
                                                                @nerd Simple doesn’t really replace Paypal, just the card. I still don’t really see the benefit of Simple. I see a bunch of inconveniences with a minimal benefit.
                                                                dalton
                                                                  @mrgan I’m trying to think this through: Is this a programmer with weird ideas that just checks this crap in? Or did this go through product design/security team etc? It feels like the former, but that seems really scary for a company as big as paypal.
                                                                  franksting
                                                                    @dalton looks like @1Password browser extension isn't blocked. If that happened...well I don't care anyway, I abandoned Paypal years ago for keeping our money for 6 months for no good reason
                                                                      [Post deleted]
                                                                      bradyv
                                                                        @dalton Apple does the same thing with the dev center..
                                                                        scottjal
                                                                          @nerd omega. check messages.
                                                                            [Post deleted]
                                                                              [Post deleted]
                                                                              ryancummins
                                                                                @dalton It seems like they don’t have a very well thought out security review process. I bet a few committees thought this was a great idea. Great ideas frequently fall on their face. This fell hard.
                                                                                fields
                                                                                  @dalton @mrgan My guess would be they identified some piece of windows malware that sniffed the clipboard for paypal passwords, and they responded by disabling that for everybody.
                                                                                    [Post deleted]
                                                                                      [Post deleted]
                                                                                      buh
                                                                                        @dalton I’m very ready to move past passwords.
                                                                                        jnm
                                                                                          @scottjal Yep. Has done it to me three or four times now. Up to date, too. It's weird: Apps I got through Amazon will occasionally require me to log in to Amazon before they'll load (piracy check?), and that's when it does it.
                                                                                          mikebeas
                                                                                            @dalton weird, I've had no issue using @1password there.
                                                                                            fields
                                                                                              @buh @dalton I’d be happy for sites to identify me with some sort of clever pun test.
                                                                                              dalton
                                                                                                @charsplat OK, but here is the problem: I can copy/paste to login. This “feature” only happens on the change password form. I bet a lot more login actions happen per day vs change pw. @fields
                                                                                                epogue
                                                                                                  @dalton I ran into that the other day. Worst security "feature" I've ever encountered.
                                                                                                  scottjal
                                                                                                    @jnm oh that could be, I haven't gotten any apps through amazon. Only the play store for me.
                                                                                                    dalton
                                                                                                      @mikebeas it works find on login, but not change password. at least for me
                                                                                                      mikebeas
                                                                                                        @dalton I dunno. I just recently changed my password there but I think it's been a few weeks
                                                                                                          [Post deleted]
                                                                                                          nickdawson
                                                                                                            @mikebeas @dalton I’m a huge lastpass fan, which has bookmarklets and apps for iOS and Android. There’s also a feature for scan for compromised passwords, but requires letting them decrypt your blob, I’m not quiet that trusting.
                                                                                                            jnm
                                                                                                              @scottjal I've got a huge pile of their freebies from app of the day sales.
                                                                                                              scottjal
                                                                                                                @jnm but on the amazon app itself maybe try the play store version? Free to try anyway.
                                                                                                                robcee
                                                                                                                  @dalton and they call it security. Yeah, I trust them with my money.
                                                                                                                  stevestreza
                                                                                                                    @dalton For years my dad had a text file on his desktop that he copy/pasted passwords into. (of course then I showed him 1password, but still)
                                                                                                                    dalton
                                                                                                                      @stevestreza sounds like he was ahead of his time, no joke. It’s better than writing it on a post-it note
                                                                                                                      stevestreza
                                                                                                                        @dalton Not when his password was a four-letter swear word representing how much he hated passwords. ;)
                                                                                                                        wildpeaks
                                                                                                                          @dalton Sounds like something far-fetched their legal department would come up with to cover their ass in case users rely on a third party to store their passwords which might get compromised, so they can blame the user for any breach of password secrecy
                                                                                                                          cbee
                                                                                                                            @stevestreza @dalton Someone needs to come up with something far better than passwords for logins, etc. Have a slew of clients who can’t even deal with 1Password.
                                                                                                                            dalton
                                                                                                                              @wildpeaks you know, that is the best theory I have heard so far.
                                                                                                                              bradyv
                                                                                                                                @reply @dalton Really? It never works when I try.
                                                                                                                                ca
                                                                                                                                  @nerd I got one but you have to be 18 or older. They ask for your SSN and everything, so it's hard to get around. @dalton
                                                                                                                                  kevinhoctor
                                                                                                                                    @dalton Just when I thought I couldn’t hate PayPal more.
                                                                                                                                      [Post deleted]
                                                                                                                                      barmstrong
                                                                                                                                        @dalton It sounds pretty much like something direct out of BOFH.
                                                                                                                                        phil
                                                                                                                                          @fields your hypothesis makes sense, but if you can't trust the pasteboard, you can't trust the keyboard either -- shouldn't be any harder to key log than to spy on the pasteboard, right?
                                                                                                                                          fields
                                                                                                                                            @phil I have a new hypothesis. Phishing sites would want to make it as easy as possible for you you to enter your information, so it’s a security feature that lets you recognize the real paypal by making life difficult. @dalton
                                                                                                                                            wklj
                                                                                                                                              [Post deleted]
                                                                                                                                              donnywdavis
                                                                                                                                                @dalton I've ran across other sites that have done that as well. It can be really frustrating.
                                                                                                                                                phil
                                                                                                                                                  @fields @dalton "this must be the real site! Who else could be so stupid?!"
                                                                                                                                                    [Post deleted]
                                                                                                                                                    jnm
                                                                                                                                                      @scottjal The Appstore app itself works fine, but the apps I bought from there load the Amazon app's login dialog, not their own.
                                                                                                                                                      ca
                                                                                                                                                        @reply Yep. They're based out of here in Portland. I should ask someone who works there. @nerd
                                                                                                                                                          [Post deleted]
                                                                                                                                                          dalton
                                                                                                                                                            @donnywdavis it just doesn’t seem like a good policy from any perspective
                                                                                                                                                              [Post deleted]
                                                                                                                                                              irc
                                                                                                                                                                @dalton wow. Copy and paste is actually more secure. Can’t be snooped with a listening device. PayPal is cracked.
                                                                                                                                                                bmike
                                                                                                                                                                  @dalton I wonder if enough people asked PayPal to indemnify them for inducing people to choose short, typeable passwords by foiling automation tools that allow for longer passwords, a lightbulb would finally go off?
                                                                                                                                                                  donnywdavis
                                                                                                                                                                    @dalton I agree. All it does in my opinion is make people choose less secure passwords b/c they don't want to type out the cryptic password generated by the password manager. That's what the password manager is for after all.
                                                                                                                                                                    mskblackbelt
                                                                                                                                                                      @dalton I ran into that yesterday while trying to change my password using @1password! Seems like a ridiculous safety measure, makes me wonder why I still have that account…
                                                                                                                                                                      paulkruczynski
                                                                                                                                                                        @dalton all the more reason to support Dwolla!
                                                                                                                                                                        dwineman
                                                                                                                                                                          @dalton My guess is they don't want you to mistype your password, then copy and paste the mistake into the verify field. But a better solution would be to require manual input only in the second field, and only when the first field was manually typed.
                                                                                                                                                                          nhk
                                                                                                                                                                            @dalton someone has to give keyloggers some work to do
                                                                                                                                                                            cwd
                                                                                                                                                                              @dalton you know it’s a bad sign when users are willing to open dev tools and write their own JavaScript to overcome shitty ux! // @fields @mrgan
                                                                                                                                                                              dogriffiths
                                                                                                                                                                                @dalton I got stung by this the other day. I believe they also limit it to 20 characters.
                                                                                                                                                                                hawkrives
                                                                                                                                                                                  @dalton @jaison @1password @scottjal It’s probably aimed towards keeping you from copy/pasting a mistyped password into the password validation field. That’s how I’ve always seen it, at least.
                                                                                                                                                                                  thedaveca
                                                                                                                                                                                    @dalton Paypal is just trying to make sure people use insecure, easily remembered passwords. Makes sense. It’s the same reason they require a 4-6 digit pin on mobile vs allowing a strong password with two-factor authentication.
                                                                                                                                                                                    jussipekonen
                                                                                                                                                                                      @dalton Moreover, they limit the maximum length of the password. I want to use my random-generated 50 characters long password! :-)
                                                                                                                                                                                      warzabidul
                                                                                                                                                                                        @jussipekonen Would fifty characters be enough? @dalton
                                                                                                                                                                                        davidmarsh
                                                                                                                                                                                          @dalton @zero it might be a misguided attempt to stop automated attacks or Trojans?
                                                                                                                                                                                          davidmarsh
                                                                                                                                                                                            @dalton @charsplat @fields maybe they have had issues with people not knowing what was in their clipboard when chasing their password? Note, this has never happened to me, nope. *whistles*
                                                                                                                                                                                            jussipekonen
                                                                                                                                                                                              @warza Probably not. (Am I paranoid? No…) // @dalton
                                                                                                                                                                                              warzabidul
                                                                                                                                                                                                @jussipekonen Patient seems more accurate than paranoid. @dalton
                                                                                                                                                                                                boennemann
                                                                                                                                                                                                  @dalton Use Web-Inspector to paste the password as a value attribute. At least faster than typing…
                                                                                                                                                                                                  levifig
                                                                                                                                                                                                    @dalton Ran into that problem the other day when using @1password! It was beyond puzzling/frustrating… o_O
                                                                                                                                                                                                    claushoefele
                                                                                                                                                                                                      @dalton Nothing to do with security, but the fact that you know what password you entered when typing it in
                                                                                                                                                                                                      zacbir
                                                                                                                                                                                                        @dwineman better solution is to stop using password bullets.
                                                                                                                                                                                                        jamie
                                                                                                                                                                                                          @nerd pm me your email and I'll send you a simple invite.
                                                                                                                                                                                                            [Post deleted]
                                                                                                                                                                                                            trine
                                                                                                                                                                                                              [Post deleted]
                                                                                                                                                                                                              jamie
                                                                                                                                                                                                                @trine Sure! Just PM me your email.
                                                                                                                                                                                                                trine
                                                                                                                                                                                                                  [Post deleted]
                                                                                                                                                                                                                  trine
                                                                                                                                                                                                                    [Post deleted]
                                                                                                                                                                                                                    federivo
                                                                                                                                                                                                                      @dalton it seems to me that they are trying to solve a technical problem (authentication) by breaking user's natural processes. No UX analysis at all.
                                                                                                                                                                                                                        [Post deleted]
                                                                                                                                                                                                                        dalton
                                                                                                                                                                                                                          @scientifics I have used a system like that before. It’s to defeat key loggers, right?
                                                                                                                                                                                                                          dalton
                                                                                                                                                                                                                            @claushoefele I suppose, but it sure seems like a bad tradeoff to make
                                                                                                                                                                                                                            dalton
                                                                                                                                                                                                                              @dwineman If they actually made this decision rationally, that would imply the # of support tickets they get per day are people doing that far outweighs people that use password managers complaining, right? Weird to think about
                                                                                                                                                                                                                              dalton
                                                                                                                                                                                                                                @paulkruczynski I use paypal as infrequently as possible :)
                                                                                                                                                                                                                                  [Post deleted]
                                                                                                                                                                                                                                  dwineman
                                                                                                                                                                                                                                    @dalton I’m sure the percentage of people who use password managers is vanishingly small. That’s no excuse for a financial company to encourage weak passwords, though.
                                                                                                                                                                                                                                    paulkruczynski
                                                                                                                                                                                                                                      @dalton Me too. I know you’re using Stripe (which is great, and I’ve also used), but you should take a look at them anyway _ https://www.dwolla.com _ I think it’s a worthwhile venture.
                                                                                                                                                                                                                                      gikiski
                                                                                                                                                                                                                                        @dalton twitter also for the old password.
                                                                                                                                                                                                                                        gtc
                                                                                                                                                                                                                                          @mrgan @dalton @1password I think Apple ID management page has this same inanity. Haven’t found a workaround.
                                                                                                                                                                                                                                          1password
                                                                                                                                                                                                                                            @gtc Ugh. ADN conversation view. Those links probably weren’t very helpful. Wish I could actually link directly to specific posts. They are only highlighted if you scroll through the entire conversation. What I meant to say was…
                                                                                                                                                                                                                                            1password
                                                                                                                                                                                                                                              @gtc My desktop browser extensions and built-in mobile browser fill Logins *and* Generated Passwords directly. No copy. No paste. No problem. ;)
                                                                                                                                                                                                                                              mrgan
                                                                                                                                                                                                                                                @gtc @dalton @1password One more: Bank of America won’t let you paste *account and routing numbers* when setting up transactions. What the heck is the security risk here?
                                                                                                                                                                                                                                                1password
                                                                                                                                                                                                                                                  @mrgan @gtc @dalton No security risk. It’s just off off off Broadway security theater performed by untrained rats. Highlight text, drag, and drop usually still works, though.
                                                                                                                                                                                                                                                  dalton
                                                                                                                                                                                                                                                    @1password @mrgan @gtc this seems like one of those anti-patterns in software design that someone prominent needs to write a blogpost about (that shows screenshots and names names) for anything to happen
                                                                                                                                                                                                                                                      [Post deleted]
                                                                                                                                                                                                                                                      anondson
                                                                                                                                                                                                                                                        @mrgan @gtc @dalton @1password It’s like the banks haven’t ever heard of keyloggers being a security risk. #smh
                                                                                                                                                                                                                                                        levifig
                                                                                                                                                                                                                                                          @1password @gtc Agree: conversation view is still the worst part of ADN (loving the rest)… I find myself using Twitter more than ADN for that reason alone! :X /cc @dalton @berg
                                                                                                                                                                                                                                                          berg
                                                                                                                                                                                                                                                            @levifig @1password fyi, I just complained at @voidfiles for like 5 minutes straight about some very simple fixes we could make, and I think we'll end up doing at least a slightly better job w/ deep links to a specific post in the very short term...
                                                                                                                                                                                                                                                            1password
                                                                                                                                                                                                                                                              @berg Great news! Looking forward to it. Thanks. :)
                                                                                                                                                                                                                                                              levifig
                                                                                                                                                                                                                                                                @berg I’m sorry for @voidfiles but I’m happy for everyone else… :> hehe <3
                                                                                                                                                                                                                                                                franksting
                                                                                                                                                                                                                                                                  @scientifics @dalton What if you are using a browser which prevents screen scrapers as well as keyloggers from running?
                                                                                                                                                                                                                                                                  palimondo
                                                                                                                                                                                                                                                                    @mrgan @gtc @dalton @1password Securing a resource usually decreasing convenience. Security by mimicry: Let’s make it REALLY inconvenient to use—it will be safe for sure!
                                                                                                                                                                                                                                                                    steveriggins
                                                                                                                                                                                                                                                                      @dalton my bank does this also. Is there pasteboard malware for Windows, or just a general security rule they think is safer? Now keyboard malware is happy :)
                                                                                                                                                                                                                                                                      steveriggins
                                                                                                                                                                                                                                                                        @stevestreza @dalton lol I had to correct my mother’s poor password habits.
                                                                                                                                                                                                                                                                        gadgetgav
                                                                                                                                                                                                                                                                          @mrgan That ranks up there with not revealing password rules until the first password fails in stupid login programming.
                                                                                                                                                                                                                                                                          dalton
                                                                                                                                                                                                                                                                            @franksting this just seems like “security theatre” @scientifics
                                                                                                                                                                                                                                                                            franksting
                                                                                                                                                                                                                                                                              @dalton @scientifics it’s all about the illusion of security, providing assurance to the end user after all!
                                                                                                                                                                                                                                                                              bcb
                                                                                                                                                                                                                                                                                @dalton @franksting @scientifics At this point anything that uses a password over the network is more or less security theater. But all the real solutions are expensive, have drastic usability problems and don't scale well.
                                                                                                                                                                                                                                                                                franksting
                                                                                                                                                                                                                                                                                  @bcb @dalton @scientifics exactly. Which is why those who build for home users, as I do, need to stop trying to build software like we’re trying to protect the enterprise and instead focus on guiding user behaviours
                                                                                                                                                                                                                                                                                  hrbrmstr
                                                                                                                                                                                                                                                                                    @franksting @bcb @dalton @scientifics passwords are pretty much security theater. reuse; poor app security controls; poor passed db controls; poor/no SSL config; we all need to respect & protect privacy more.