Uninformed Companies Block Password Pasting, Why?

Companies Cripple User-Interface by Blocking Paste for Passwords

Learn about a disturbing new trend that is crippling user-interfaces and endangering users by preventing password pasting.

Episode #10-46 released on July 5, 2020

Watch on Youtube
Download MP3 Audio

There is a new trend online that will be changing password protection for the worse. The grand majority of password vaults use a fundamental feature of every operating system, the paste function. The issue is that there are many websites who have decided to adopt code that prevents password vaults from being as intend, and it, also, means that those of you who have a text file with passwords, you will, also, be affected.

What does this mean for you as a user?

This means you will have to manually compose your username and password into websites that deploy code made specifically to prevent copy paste functionality. It may mean that a portion of you will seek simpler and shorter passwords, presuming they do protect their databases, it still means your account will be more vulnerable.

What if they use 2FA to protect your account?

Two factor authentication can further protect an account; yes, however, many mobile operating systems allow for copy paste function for 2FA. In the case of 2FA by text message, it still relies on automated copy paste functionality, meaning that there is still more work on the part of the user to access the website or application.

What are some of the reasons to block paste functionality given by companies?

Some companies justify blocking password pasting because they believe it blocks brute force attacks, the it allows users to remember the password, or even that passwords will remain in the clipboard.

Let us take apart the claims starting with password brute forcing via the paste function. Sure, it is possible for automated code to paste an entire series of passwords into a website in an attempt to access your account. It is, also, true that the paste function is not required for such a brute force method and virtual keyboard can be used to bypass this method allowing the program to type each password quickly and in succession. There is a solution to this, and many websites, including my own deploy this, it is a wrong password policy. My website and many others block access for a certain amount of time when the wrong password has been entered too many times into the website.

The second claim is memory, why should I remember every password I use online? What is the point? Many of the websites that deploy this code are seldomly used and therefore a password manager or text file with the username and password make more sense to have. After all, if I can remember my passwords, it means one of two things, that I either have few accounts on the Internet, or I have very few unique passwords.

The last complaint of some of these companies is that passwords remain in the clipboard. LastPass has a feature that removes the password from the clipboard after a set amount of time.

Every reason a company can give you to block password pasting is invalid. More diversity in passwords is safer for all users and websites. Why? Because if every user has a unique password on every website, it means that when one service is hacked, your other accounts are still safe. However, a user who has less password diversity is likely more at risk.

And, there is one more important note we need to talk about, accessibility, the more we restrict what a user can do on a website, the fewer users can actually use our websites. A visually impaired user my not be able to see the password box and actually depend on applications to use the website. This is the reason why my websites rely on AI and not captcha, because Captcha and other function blocking code place undue burden on those users who are blind to any degree, physically disabled, etc.

This kind of action against the user violates an especially important notion, no website should be deciding what you can or cannot do on their device while accessing your website. This means that any website blocking access to their service because you will not allow privacy invading cookies, advertisements, or restricts basic and common functions are not user friendly. The entire point of a user interface is to be user friendly.

Now, my suggestion for companies is to make a website usable to users who are either blind, deaf, or physically disabled by coding for someone who meets all three possible scenarios at the same time. If someone who is blind, deaf, and physically disabled cannot use your website, then your user interface is not user friendly for anyone.

Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net

Sources & Resources

Community Comments

Share your thoughts, opinions and suggestions

Login or Register to post Your comment.