Websites, Please Stop Blocking Password Managers

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Don't you hate when you've generated a nice, lengthy 256-bit password for a website but it won't let you paste it in?

Here's the problem: Some sites won't let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.
 
I agree with this, though I haven't seen it too much, only on one or two sites personally. Another thing is the silly password restrictions. Some sites don't like special characters, or a much bigger problem, they limit their passwords to 12 or 16 characters. I'd like to see an end to that as well.
 
devil22 said:
I agree with this, though I haven't seen it too much, only on one or two sites personally. Another thing is the silly password restrictions. Some sites don't like special characters, or a much bigger problem, they limit their passwords to 12 or 16 characters. I'd like to see an end to that as well.
Click to expand...

Same here... My biggest gripe is sites that require short passwords and/or don't allow special characters.

Have seen some sites limited to 8 characters...
 
I see this garbage frequently on bank and health care related websites, arguably two of the most important places to want people to have unique strong passwords.
 
"Your password needs to be 10 characters long and requires special characters but you can't use @#$%^&*()_+-=[]\{}|;':",./<>?" "So you only can use exclamation mark?"

Makes me wonder who are the morons that comes up with these policies.
 
Password managers always struck me as a bad idea. I can't think of anything worse than depending on some shoddy program to do what I prolly should be doing with my brrrraaaaains (sorry forum zombies, I can't resist).
 
Not being able to paste is a minor issue for me. Only come across one that is like this. PayPal.

What is really annoying are sites that do not state password length MAXIMUM.

EX:
1) Make long ass password. 1Password will make them up to 64 characters.
2) Paste password in password box. Password box replaces the password with dots. But the field only really shows like 15 of the 64 dots.
3) Submit password. Submitted with no errors.
4) Try password. INVALID!
5) WTF?!?

What happened was the site only accepts lets say 32 character passwords. Thing is it says this NOWHERE. Nor does the submission error out. It just crops it to whatever length they accept and send that. You have no idea how long it is. Now you have to paste it in, Try and count the dots (if you can) to find out how long they will accept and resubmit and save that password.

Some sites will lists max length somewhere near the password field. Or error out when you try and submit and tell you what the max is.
 
That's one of the reasons I like KeePass. It "types" the password in (when using Auto Type) vs copy/past. So you can still have your strong randomly generated passwords, even on the sites that don't allow pasting.
 
Since moving to a Password Manager (PassPack) roughly a year ago, I ran into this very issue more often then not. The ironic thing is that ALL of my least damaging accounts had no problem with long, random, and complex passwords. The biggest failures were major companies!

Hotmail limits you to 16 characters. I looked into it and basically sounded like Microsoft "supposedly" does some voodoo magic on their end to augment all max length pas.......I'm going to stop feeding that bullshit because it was simply a way for news publications to leave them alone. Nobody was really buying their excuse.

My very own credit union force limits the same 16 character limit. I don't why this seems to be the hard limit when there is one to begin with. I'm guessing due to it being two bytes long it has something to do with software/database code capability issues or what not. For big organizations doing something trivial can be an overhaul, but really how can you preach good passwords to your users and offer not even a 64 character limit? I'm not going to say a good random 16 character password is easily hackable vs a 20+ one, but people would feel more comfortable and if it can be done the idea is: why not?

The real issue with these limited password lengths actually has nothing to do with Password Managers. The issue is with the MASS MAJORITY who do NOT use password managers and are now fundamentally limited on the randomness of their password so that they can remember it. It preaches bad password habits to fit within a very small window. So they may come up with a password, but its over 16. They change it so that it fits within the requirements, but now the password is less secure and also under 16 characters. it's very hard to come up with a good password that's 16 characters and difficult to attack without being random.
 
My online mortgage access requires me to click on a phone pad to enter a number to log in.
 
CreepyUncleGoogle said:
Password managers always struck me as a bad idea. I can't think of anything worse than depending on some shoddy program to do what I prolly should be doing with my brrrraaaaains (sorry forum zombies, I can't resist).
Click to expand...

I've been happy with mine, lastpass. Sure beats that excel spreadsheet.
 
Now that I think about it, the one reason to block pasting is during password creation confirmation. if someone thinks they typed one thing but really typed another (had caps lock on or something) and copied and pasted the wrong entry from the masked version of the first entry, it defeats the value to confirmation.
 
This isn't a no deal for me

I for one can't fucking stand when I type in a 12+ character password, and then tells me its "Insecure" because I used common words with improper punctuation and in a way that makes zero sense to a password cracker
 
dandirk said:
Same here... My biggest gripe is sites that require short passwords and/or don't allow special characters.

Have seen some sites limited to 8 characters...
Click to expand...
I've seen bank websites that didn't allow special characters. :confused: Wouldn't you think they'd want you to use as much character variety as possible?
 
If you store your password as a SHA hash, then it should be irrelevant as to how long your password, what characters are allowed, spaces, and so on. It turns it into a hash such as 9d6a4efcec1a4f7399acb1f8d25fbd5be8f9ae8bb77ae875530e561516479270 which should be acceptable by any DB. Of course, you should salt the hash, encrypt it, etc, to avoid the rainbow tables.

Financial, health care, mail accounts (because of password resets), and shopping sites (financial) should allow the strongest passwords and use two-factor authentication. Yet, who ends allowing 64-character passwords? Often, it's the hobbyist forums. :(
 
halcyon said:
I see this garbage frequently on bank and health care related websites, arguably two of the most important places to want people to have unique strong passwords.
Click to expand...

And 2 of the arguably worst places to get hacked.

The reason why they don't allow password managers to auto fill in is because of script kiddie tools that do exactly that, only on a larger scale.

Not only that, all bank and health care sites have strict federal regs they have to abide by.

All that being said, there are better ways to prevent break than this.
 
PSA, all our credit card accounts at Chase Bank (chaseonline.chase.com) don't respect capitalization in the passwords.... they all get converted to upper or lower case for validation.

I tried to get Amazon to lean on them (since the Amazon credit card is Chase-backed) but that has gone nowhere for years.
 
What banks, etc need to implement is 2-factor authentication. Where is my USB token, extra-large-bank-that-probably-can-pay-for-the-token-with-one-overdraft-fee?
 
ChefJoe said:
PSA, all our credit card accounts at Chase Bank (chaseonline.chase.com) don't respect capitalization in the passwords.... they all get converted to upper or lower case for validation.

I tried to get Amazon to lean on them (since the Amazon credit card is Chase-backed) but that has gone nowhere for years.
Click to expand...
Wow, that's an interesting thing to know. I've been with them for a shortwhile and the points have always been great as has CS but they've been making weirds choices with stuff. Like why the hell did they do a way with the temp credit card?
 
d8lock said:
I've been happy with mine, lastpass. Sure beats that excel spreadsheet.
Click to expand...

I've been using LastPass for 2 years, Managers are a good compromise between perfect security (where you memorize a unique and cryptographically secure password for every account) and normal security (where you memorize variations of a few passwords). Every site as a complex and unique password, but you have the password manager as your weak link. If LastPass is ever even slightly compromised I change all my passwords, that's happened twice in the 2 years. Neither time were the actually fully compromised but I don't take chances.
 
This is a fairly topical subject (to me anyways).

What password managers would people here recommend? This is one topic I dont want to just google up a solution for as you never know if that website is legit or not.

Thanks!
 
Elf_Boy said:
This is a fairly topical subject (to me anyways).

What password managers would people here recommend? This is one topic I dont want to just google up a solution for as you never know if that website is legit or not.

Thanks!
Click to expand...

LastPass is my favorite. Well known and trusted. It stores passwords in the cloud, but they are encrypted locally by your password with AES256 before being uploaded so it should be secure. It automatically stores passwords when you enter them, has a secure password generator, etc.
 
CreepyUncleGoogle said:
Password managers always struck me as a bad idea. I can't think of anything worse than depending on some shoddy program to do what I prolly should be doing with my brrrraaaaains (sorry forum zombies, I can't resist).
Click to expand...

Password managers are a brilliant idea. They stay encrypted on your machine and using them prevents any keyboard action that can be picked up by keyloggers.
 
rive22 said:
Password managers are a brilliant idea. They stay encrypted on your machine and using them prevents any keyboard action that can be picked up by keyloggers.
Click to expand...

That's a good point, but I'd be concerned about the security of the password manager. Like any other piece of software that becomes commonplace enough, people who swear by the security of it may end up dealing with a compromise.
 
Quix said:
I've been using LastPass for 2 years, Managers are a good compromise between perfect security (where you memorize a unique and cryptographically secure password for every account) and normal security (where you memorize variations of a few passwords). Every site as a complex and unique password, but you have the password manager as your weak link. If LastPass is ever even slightly compromised I change all my passwords, that's happened twice in the 2 years. Neither time were the actually fully compromised but I don't take chances.
Click to expand...

Same, been using them for years. The two times I remember anything happening, they sent out an email and I received a prompt about what happened, in both cases no passwords were even accessed, and even if they were, they are all encrypted and lastpass also has the option for 2-step with a physical key, which is nice. Also, the account is only as weak as my master password, which being that I only have to remember one, means it is FAR better than what I would end up using for the 100's of accounts I would have to remember passwords for.

I also agree 100% with the others on sites limiting you on how long or what you can use in a password, I have seen places that limited you to 6, and it did not allow any special characters.
 
This is a good thing, not sure how it is secure having password managers manage all of your bank, email and work accounts. Why crack 20 passwords when you can crack the master? Also the "moving" of the password from one app to the other possibly that process could also be cracked. Lastly if the user doesn't lock their workstation often these apps will auto-authenticate to sites requiring passwords making it easier for a hacker.
 
Ryleh said:
Wow, that's an interesting thing to know. I've been with them for a shortwhile and the points have always been great as has CS but they've been making weirds choices with stuff. Like why the hell did they do a way with the temp credit card?
Click to expand...

Chase for a few years let you just know the first 8 or 10 chars of a password. I believe its fixed but if your pass was blahblahBLAHBLAH10101010 you could login with just blahblahBL.

Their website is a PIA.
 
ChefJoe said:
PSA, all our credit card accounts at Chase Bank (chaseonline.chase.com) don't respect capitalization in the passwords.... they all get converted to upper or lower case for validation.

I tried to get Amazon to lean on them (since the Amazon credit card is Chase-backed) but that has gone nowhere for years.
Click to expand...

That would be quite hypocritical of them.

"The flaw lets Amazon accept as valid some passwords that have extra characters added on after the 8th character, and also makes the password case-insensitive."

http://www.wired.com/2011/01/amazon-password-problem/
 
jroe52 said:
This is a good thing, not sure how it is secure having password managers manage all of your bank, email and work accounts. Why crack 20 passwords when you can crack the master? Also the "moving" of the password from one app to the other possibly that process could also be cracked. Lastly if the user doesn't lock their workstation often these apps will auto-authenticate to sites requiring passwords making it easier for a hacker.
Click to expand...

Having the program paste into the site can be better than a person typing because of key loggers, sure, something could catch that paste and get the info, but if the local machine is already infected, chances are it has a key logger anyway, so remembering and typing it in did nothing to keep you safe.

The problem with cracking that "one" password is that most of the well know managers make their living off these programs and as such have much better security than most websites, and are very hard to crack with the kind of encryption used. Most people going after passwords are going to go for low hanging fruit, unless you are a specific target. in which case they will probably get what they want no matter what. They are not going to spend the time and effort to crack your salted and encrypted master password when there are much easier mass targets.
 
devil22 said:
LastPass is my favorite. Well known and trusted. It stores passwords in the cloud, but they are encrypted locally by your password with AES256 before being uploaded so it should be secure. It automatically stores passwords when you enter them, has a secure password generator, etc.
Click to expand...

Didn't LastPAss get hacked not too long ago and all master passwords were posted?
 
I'm always surprised when I find I can copy-paste passwords. Seems like they would've locked that shit down year ago...
 
Rahh said:
Didn't LastPAss get hacked not too long ago and all master passwords were posted?
Click to expand...

And this is why people get misinformation...

No, they were not. LastPass does not even keep master passwords. This is from that attack you are talking about:

"Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers."
 
I use Linux and LastPass. If someone manages to install something that reads my clipboard, they have earned it. They would have to find an exploit on a Linux browser and have it install properly on my distro. I am more worried about the threat from falling coconuts than that.

Anything that isn't random is vulnerable to brute force. Any password you use on more than one website multiplies the risk. Password cracking is a lot more sophisticated than aaaaaaaa, aaaaaaab, aaaaaaac. There are dozens of special dictionaries that they use: leet speak, common passwords, stolen passwords, commonly used words with spaces between them, common words plus numbers.
 
Youn said:
I'm always surprised when I find I can copy-paste passwords. Seems like they would've locked that shit down year ago...
Click to expand...

Why? So you have to type out "PYe5zwml7Nhqk3Mzas5aMR3Pymc9ixdVdc9gfdl546aMbnFH8jau7sxVqJFFUYPic" by hand?
 
You must log in or register to reply here.
Back
Top