One of the things people often tweet to us @ncsc are examples of websites which prevent you pasting in a password. Why do websites do this? The debate has raged - with most commentators raging how annoying it is.
So why do organisations do this? Often no reason is given, but when one is, that reason is 'security'. The NCSC don't think the reasons add up. We think that stopping password pasting (or SPP) is a bad thing that reduces security. We think customers should be allowed to paste their passwords into forms, and that it improves security.
No one knows where it came from
It is a mystery where SPP came from. No one has pointed to a paper, a rule, an RFC (a technical standards document to plan how the Internet should work) or anything else that started it off. If you know of one, let us know using the comments form below. We believe it's one of those 'best practice' ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn't make sense.
So why is password pasting a good thing?
The main reason why password pasting improves security is because it helps to reduce password overload, something that we cover in our Password Guidance. Allowing the pasting of passwords makes web forms work well with password managers. Password managers are software (or services) that choose, store and enter passwords into online forms for you. Password managers are very useful because they:
- make it much easier to have different passwords for each website site you use
- improve your productivity and reduce frustration by preventing typing errors during logins
- make it simple to use long, complex passwords
Disclaimer: although password managers can offer better protection than - for example - keeping your passwords in a normal (and so unprotected) document on your computer, they are not a silver bullet to solve all of an organisation's password problems. We'll write more in a future blogpost about things to consider when picking a password manager.
Imagine if you didn't have a password manager, or even that unprotected document on your computer with your passwords in it. Without password managers, it would be pretty much impossible to remember all your passwords. To cope without them you'd have to do some of these bad things:
- re-use the same passwords on different websites
- choose very simple (and so easy to guess) passwords
- write passwords down in places that are easy to find (like post-it notes next to the screen)
This is why we think SPP is bad, and allowing password pasting is good. The pros outweigh the cons, and by a lot.
Why stopping password pasting (SPP) is wrong
There are other reasons that are used to justify SPP. The small and misleading grain of truth in these reasons can sound very persuasive. Here's why they're wrong.
Justification 1: 'Password pasting allows brute force attacks'
If password pasting is allowed, that represents a vulnerability where malicious software or web pages could repeatedly paste password guesses into the password box until they break your password.
This is true, but it's also true that there are other ways to make guesses (for example through an API) that are just as easy for attackers to set up, but are much faster at guessing. The risk of brute force attacks using copy and paste is very small.
Justification 2: 'Pasting passwords makes them easier to forget, because you have fewer chances to practise them'.
It's true - in principle - that the more times you recall something, the easier it is next time.
In the real world though, people are made to have passwords for things that they hardly ever use. This means there isn't enough time to practise, and therefore little chance of remembering. This whole justification only works if you assume, to begin with, that users should always have to try and remember their passwords - and that's not always true.
People are also made to have passwords for things they use so often they couldn't forget the password even if they wanted to (which is quite inconvenient if you're forced to change the password regularly), and typing in the rotten thing again and again eats into their day. Password managers are a stick these people lean on, and SPP kicks it away.
Justification 3: 'Passwords would hang around in the clipboard'
When anyone copies and pastes, the copied content is kept in a 'clipboard' where it can be pasted as many times as they want. Any software installed on the computer (or any person operating it) has access to the clipboard, and can see what's in there. Copying anything usually writes over what was already in the clipboard and destroys it.
Many password managers copy your password to the clipboard so they can paste it into the password box on websites. The possible risk is that an attacker (or malware) will steal your password before it's erased from the clipboard.
Passwords remaining in the clipboard might be more of an issue if you're manually copying and pasting your passwords from a document you have on your computer. You might forget to clear the clipboard. However it's not much of a risk because:
- Most password managers erase the clipboard as soon as they have pasted your password into the website, and some avoid the clipboard completely by typing in the password with a 'virtual keyboard' instead.
- The web browser 'Internet Explorer 6' allows evil web pages to copy the clipboard; but very few people in the UK still use IE6 to browse the web.
- Viruses installed on your computer can have clipboard copiers on them, and grab your pasted passwords. That's still not a good reason for SPP though; when your computer gets infected you can't trust it at all. Viruses and other malware that copy the clipboard nearly always also copy every letter, number and symbol typed on your computer, including your passwords. They would steal your password whether or not it was in the clipboard, so you're not really gaining much by SPP.
Rather than stopping password pasting, help your computers to avoid catching viruses in the first place by following our guidance on securing enterprise IT. And install software updates - the IT version of eating your fruit and veg. It's one of the very best ways of securing your computer.
Don't just take our word for it
You don't have to take our word for it that stopping password pasting is bad. See Troy Hunt's blog (with a History lesson for us all), or this article in Wired.
Improve your security by supporting your users. Let them paste passwords.
Sacha B
Sociotechnical Security Researcher
I think some modern browsers now ignore the autocomplete setting, and instead respect the user’s preference, but it still causes problems with misguided websites.
In fact, as I argue, disabling autocomplete (and copy-and-paste) makes phishing easier because smart password managers bind passwords to web addresses and so creates an obstacle to typing a password for one site into another.
Hello! Thanks very much for commenting.
We like your idea about autocomplete. Passwords and password management are contentious, sometimes high passion topics. It's great to have such thoughtful contributions as this. Even when we agree with them! ;)
Re: Justification 2 - if people don't know their passwords, and it always auto-fills from the password manager, there is a sporting chance they'll spot phishing attacks (because they won't autofill).
I would like to congratulate the NCSC on their service and on their site generally and specifically for applying some common sense and pragmatism to established practices that fall into the category “Oh, but we have always done it that way”. Well done and thank you and perhaps we can get some support for the thought that Security and convenience is not an oxymoron!
The use of a password manager is what your whole article hinges on, hell it’s so intrinsic to your argument you’ve even had to add a disclaimer in your ‘for’ removal of SPP that password managers are ‘not a silver bullet to solve all of an organisation's password problems’.
Forget brute force, not remembering passwords and even the clipboard the security risk of removing SPP will be a perception that wiring down passwords is acceptable and an increase in the number of the general public storing them in unprotected files.
While titles like ‘Let them paste passwords’ are eye catching this has to be backed up with serious promotion of the general use of secure credential storage solutions.
Maybe we should explicitly say "don't stop people pasting passwords" . A reference to a recognised comprehensive standard would be helpful!
Account setup is different to account login.
However, I made a(n invisible) typo and effectively created an account with a password unknown to me. "Recover password", etc...
Solution, disable copy-paste and force typing it twice.
I know we're supposed to be debating this later, but until such time, here's my 2c.
paul.reviews/dont-let-them-paste-passwords/
TL;DR - There are perfectly legitimate reasons to disable paste, including increasing security.
Thanks,
Paul
Exactly as Jim said, I went to account.tfl.gov.uk and had to manually type my 32 character strong password into the second box. I got it right luckily, but I could easily have just given up and put in a simple password.
Please bring them up to date and stop this restrictive practice.
Unrelated but related, dev tools are great to get rid of walled garden prompts or annoying ads (assuming the main content has already been downloaded)
If we educate people into using a password pattern and "seed" approach, you can have unique and memorable passwords for every site.
For example. Your seed password might be
"TortoiSe" note the cap letter.
Your pattern might then be. Take the 1st and 3rd letter of the site name. Add it to the start and end. Also the number 65 (best to choose a memorable number for personal reasons)
Your password for Facebook would then be:
ftortoiSec65
For Gmail it would be
GtortoiSea65
This is a pretty simplified example, you might opt to add in a few non alphanumerics for added complexity.
You don't need to remember the passwords, just your pattern and seed. Once you have used it a few times, it becomes second nature.
It is also important to educate people at an early age to get them used to thinking about security and how to think about passwords.
Two words: password resets. You're using a seed and public info (e.g. site name) to generate the password. So you can remember it, you always use the same seed. Problem - you have to use a different seed to change the password for a particular site, which you'd want to do if, say, the site got hacked.
Your only option is really to pick a different seed and update every password for every service you have whenever you think there's a chance even one of those passwords has been compromised.
You might be tempted to pick a different seed and only use it for that site, but that leads you down a dark road. Over time, more sites will need password resets and get moved to the second seed. And it's only a matter of time before one of those sites needs a second password reset, and you need to throw a third seed in the mix. Remembering three seeds isn't the issue; remembering which sites use which seeds is.
And all of this is ignoring the elephant in the room. Is it even possible to devise an algorithm that could be used for this purpose? No - different sites have different rules for what kinds of passwords they allow. Short of memorizing which specific combination of rules every site has and having that as an input to your algorithm so that it outputs a valid one, it isn't possible.
And honestly, memorizing which specific set of password restrictions every site uses doesn't sound much easier than memorizing passwords; I certainly wouldn't bet on us being able to memorize unique password restriction rules.
Just use a password manager. Even if your incredibly simplistic algorithm didn't have the problems I just mentioned (no good way to do password resets, won't work on sites with different password rules), there's no way it would be easier than a cloud password manager browser extension.
While I can buy with your overall point that disallowing pasting of passwords is on average worse for usability than allowing it is for security I feel your reasoning is questionable.
Its really interesting
Similarly multi factor authentication - what you know, what you have, what you are - works in layers. A password is linked to an identifier and is intended to show what you know.
Stopping pasting is intended to increase the probability that a person who knows the password is present at the time it is entered.
If someone said "We store passwords in plain text" and, after seeing your looks of horror, they said that "Storing passwords in plain text helps to cure cancer", the fact that they have ultimately noble intentions for compromising their security doesn't change anything. Their actions are not having the desired effect.
All of these practices encourage people to have weak passwords.
. physical/domestic/local/line-of-sight => keep passwords locked-down in a locked-down account
. remote/drive-by credential collection/exfiltrate-and-run => physical-world record and all entry by hand
. long-term local digital security breach => oops!
. physhing => automated warnings should sound (& email clients should not allow click-through when a link doesn't pass a live security certificate check of authenticity)
also, perhaps consider the signature analogue - it's the way that it's written, not what is written, that counts: identical content is usual, but absolutely identical is a forgery; is password typing rhythm a clue? Perhaps a <website> should give the user the password, and the way that it's entered should be the key? just thinking out-loud...
anyway, interesting, tl;dr = it depends...
I learned very early (as in many, many years back) that I have to make it easy for users entering their usernames and passwords, otherwise we would be on the phone for half a day to help these people.
Also, copying and pasting username/passwords clearly helps "typing" them in correctly reducing the calls of "I am 100% sure I typed my password correctly" although you could see in the logging mechanisms they did not.
I see it this way: While we need to educate people to have good security developers need to adapt to users, we need to meet half way. If I cannot tell a person to use a password manager I can tell them to use something similar to @Steve Slade's approach - which I have done for many years. Most people I explain that approach you can see their eyes lighting up "what a great idea, thank you".
Don't try to bash something into them (aka no pasting, 100character passwords) but rather help them to develop and learn.
Passwords are supposed to be a shared secret, not a test of the user's memory or keyboard skills.
It's ridiculous.
Also, ridiculous password restrictions need to go, too. No website should tell me that [!|@|#|$|%|^|&|*|(|)|whatever] are "invalid." Maximum password lengths need to go, also. It's a problem that webmasters trained in the MS way, which you can blame the old WinNT [4.0-era] winlogin.exe for that... which used such draconian policy which most sites today still employ. (It was a holdover from VMS that made it that way.)
Thanks for this insightful post from the USA!
- if a malicious bit of code or actor is in memory, it’s game over, concerns elsewhere. Change all your passwords, consider any system, session, information or data, cached or used credentials compromised. That’s the reality.
- if the transport is unencrypted and you’re entering creds into a form, you’re probably using the wrong service or app and should re-evaluate what you are about to do, regardless of method
- whether you paste or type it in is irrelevant really. Scenario, your input is hacked through physical or logical means, typing it offers more risk because you’re competing with the physical vector and trusting peripherals, cables and the hardware inside your machine. If it’s stored encrypted at rest and only ever seen in memory before being transmitted/submitted (maybe written to disk if cached or user opts to save the creds), then the physical keyboard/peripheral jacking techniques aren’t of that much concern for the form scenario.They probably got your logon password and living in memory at that point any way, so your logon account is probably more valuable than a single credential used in a specific form). Time to ask ourselves the stats on how many ppl use the same password for logon as to password safe not to mention the different password stores that have their own vulnerabilities that may also be exploitable.
- if we are worried so much about passwords getting compromised, make it mandatory to use MFA, lower password complexity settings to make it easier for the users, reduce the frequency of password resets (but don’t remove it completely), and audit and alert on abuse use cases for the forms in question.
- use recaptcha and other technologies if bots are of concern and also ensure that you rate limit logon attempts, progressively compounding the retry interval to eventually make it unfeasible to continue to attack.
- last but not least, educate the users, empower them.
Leave a comment