It seems to be common with banking but I had one the other week in an app where not only could you not cut and paste but you couldn't swap between the app and the password manager to check on the password as it would immediately wipe what you'd already entered. With any complexity to the password there's then little choice but to write it down.
Capital One is facing criticism for using policies on its banking website that prevent the use of password managers. Joseph Carrigan, a Reg reader and senior security engineer at the Johns Hopkins University Information Security Institute in the US, says he was trying to reset the password for his Capital One bank account …
Thursday 13th September 2018 12:04 GMT jmch
Thursday 13th September 2018 12:47 GMT GnuTzu
Thursday 13th September 2018 13:09 GMT Anonymous Coward
"Desktop software engineers will need to keep in mind that the clipboard now needs to be treated as a sensitive space"
Indeed. KeePass (other, possibly better password managers are available) will over-write the clipboard if you copied a password after 6 seconds. It'll also emulate keyboard input, getting around the "no paste for you" issues ...
Friday 14th September 2018 03:41 GMT Shadow Systems
At GnuTzu, re: the clipboard.
I don't remember the specific article here on ElReg that discussed it, but there was one about how you should disable the ability to Copy&Paste/Drag&Drop because script kiddies had figured out a way to use those vectors as a path to gaining access to your machine.
In IE it's under Options>Security>Miscellanious>C&P/D&D. I'm not sure about Firefox, Chrome, Safari, Edge, or any other browser, but should be somewhere similar (Security options).
I had already turned off those capabilities in my browser & so the "Proof Of Concept" site (to test if you were vulnerable) wasn't able to do much, but it was a great eye opener for others.
HTH & enjoy a pint, it'll help drown your desire to recode the web in LOGO. =-Jp
Thursday 13th September 2018 13:08 GMT vtcodger
"With any complexity to the password there's then little choice but to write it down."
Actually, there is another choice. And it's one you might want to seriously consider. Don't do financial stuff on the Internet. No internet accessible accounts, no need to worry about passwords.
Given the current state of computer security, the rate at which new problems are being introduced, and the slow rate at which the underlying problems are being corrected, it seems to me that internet banking is only marginally safer than asking a random stranger to watch your wallet while you go swimming.
In a few years (decades, more like) when the digital Wild West has been tamed, things will presumably be different and of course you'll be able to paste passwords if passwords are still in use.
Thursday 13th September 2018 14:29 GMT Robert Helpmann??
Don't do financial stuff on the Internet.
Your concerns seem at odds with reality. In as much as there is a way to handle security in any realm, it is hard to argue that it is worse online than IRL. While it is worth calling out companies, applications and web sites that get it wrong, the fact that there is scrutiny on them is more than you get out of physical access to money these days. Ever hear of card skimmers? Hacking ATMs? Perhaps you ought to just hide your money under your mattress or may switch entirely back to barter until the monetary Wild West is sorted.
Thursday 13th September 2018 17:30 GMT Amos1
Working for a bank, I can assure you that is almost impossible. Why? Because pretty much every company makes all accounts available from the Internet by default. So if you don't use it someone else just might.
You also should set transaction alerts for the smallest allowable amount, usually $1 or $5 because you should always know when one of your accounts is used.
You can request that Internet access be disabled one account at a time but I've seen many an upgrade enable them without warning.
Friday 14th September 2018 03:59 GMT Shadow Systems
At VTCodger, re: writing passwords down.
I've got mine written down. I keep them in a lockbox at the bottom of a flight of unlit stairs in a disused lavatory with a sign on the door that says "Beware of the Vogon poet". I know nobody has broken in & gotten to my papers, I've been writing poetry the entire time. =-Jp
On a more serious note, when my bank wanted my email address to associate it to my account, I asked why. They said it was so I could do online banking. I asked what if I didn't want to do online banking? They said it would be so they could alert me if anything bad happened to my account. I told them to call me since that would be faster than an email. I refused to give it to them at that time in the belief that if I didn't activate the online portion of my banking account then criminals couldn't hack into it either. I was proved wrong. The fact that I hadn't given them my email meant that the bastards that social engineered themselves into my account set *their* email address as if it were mine. They then set a password lock on my account & froze me out of it. I had to physically go into my bank, refute everything that had happened to my account via the online path, & demand the bank refund all my money. They said it was all MY fault for not having given them my address in the first place. I nearly went over the counter & BEAT that little snot with their keyboard. (Never blame the victim. We're liable to take out our frustrations on you.) I ended up having to activate the online portion with a username, password, & my email address *just so I could prevent criminals from gaining access*. So even though I didn't want online banking, I had to register my online credentials in order to keep my account from getting hacked... Again.
Do yourself a favor & go visit your bank. Activate the online part, set up all the security hurdles you can, & then Just Don't Use It. If there's ever any online activity on it then you tell the bank it's fraud. How do you know it was fraud? Because *YOU* never did any online banking. Then you get to change all the passwords/security questions, & the bank gets to refund all your money.
Thursday 13th September 2018 07:30 GMT Alan J. Wylie
Thursday 13th September 2018 11:24 GMT Just Enough
Re: The NCSC agrees
You don't understand. If passwords should be hard to crack they need to be hard to enter, and their use should be as difficult and laborious as possible for the user. This sounds like obvious logic, doesn't it?
And users never look for the easiest way of doing something, thereby nullifying efforts to make things hard for them and making the security useless.
This is why my websites insist the password is entered by ASCII code, in binary, obscured so that you can never see what you've typed. Twice. Take that hackers!
Thursday 13th September 2018 07:49 GMT Anonymous Coward
Thursday 13th September 2018 08:35 GMT Malcolm Hall
Thursday 13th September 2018 09:27 GMT Killfalcon
Huh, I'd not considered that (my bank does it as well), and now I'm kicking myself.
They can potentially store them encrypted and decrypt them when needed, but that is obviously less secure than a password that gets hashed and the hashes compared. In theory I guess they could hash each character separately, but that feels like a waste, since you can crack each independently fairly easily. :/
The flip-side is that these "x letters from password" things are more resilient against other threats, like keyloggers and such. Is that a bigger issue than an internal breach lifting the password table? I don't know, but hopefully the banks have done some thinking on it.
Thursday 13th September 2018 08:38 GMT Korev
I used another financial organisation's webs(h)ite the other day which blocked the clipboard. I'd dutifully created a 20+ character password with numbers, upper and lower case letters and symbols. I took three attempts to type it in accurately, by the time I was done I was almost ready to chuck the laptop out of the window....
Thursday 13th September 2018 08:41 GMT Baldrickk
Single figure entry
There are other annoying ways for banks to really put a spanner in the works.
For me, the biggest is requiring specific characters from your password.
You can't just copy and paste that either.
Easy to put in if you have a short password that you remember 1-5-7 of "Abcd123"? "A13" not too hard.
What about 8-14-17 of "u[==sPDOD`w>d&]nVaUYOU-em+wY:N" erm... well first I need to open up the entry in the password manager, un-hide the password (so it's now in full view of shoulder surfers) and now count the characters, make sure I get the right ones and put them in. er... "O&V"
I mean, it's not hard to do, but it circumvents filling the password and makes it easier to get your password wrong by miscounting characters.
Also how do they store the combinations required? Is your password encrypted and not hashed (bad)? or is there a finite set of hashes of character combinations (terribly inefficient with space, and it's doubtful that they are going to pre-calculate every possible combination)
Thursday 13th September 2018 09:01 GMT DwarfPants
Thursday 13th September 2018 09:47 GMT FrogsAndChips
Re: Single figure entry
HSBC also do that. They ask you for an answer to a memorable question, then either an OTP (for sensitive operations like payments) or, for read-only access, a set of characters from your password (from experience among the first 5 or last 2). Since I don't trust how they store the password for the same reasons as you mentioned, I've created a random complex string for the 'memorable answer' that I retrieve from my password manager and a simple password from which I can easily pick a few chars. Of course that assumes that the memorable answer itself is securely stored.
Thursday 13th September 2018 14:21 GMT Hans 1
Re: Single figure entry
Also how do they store the combinations required?
British banks ? in clear text, in an MS Access database on an open-to-the-world AWS bucket in the states!
What did you expect ?
No, seriously, if they ask for n'th character, they have it in clear text!
If they have it in clear text, their techies are idiots.
And where do idiotic techies store sensitive shit ? in an open-to-the-world AWS bucket, somewhere ... I love argument from ignorance, but I think I am not too far off, here ...
Thursday 13th September 2018 22:19 GMT Time Waster
Re: Single figure entry
Thumbs up for the idea of storing hashes of different combinations. Though there’s no way I credit many banks with coming up with (or caring about) doing so. Realistically if, like my bank, they only ask for 3 characters at a time, it wouldn’t take much to brute force those hashes anyway... My bank does ask for a secondary password (I think they call it a memorable word), which I guess (again, assuming a massive amount of faith in their security / engineering teams) they could be storing hashed with these different pre-chosen combinations...
Thursday 13th September 2018 09:00 GMT theModge
Sunday 16th September 2018 00:02 GMT FlamingDeath
Re: There's an addon for that
This add-on can:
Access your data for all websites
Access browser tabs
"There is one permission in particular, “Access your data for all websites”, that we’ve gotten many questions about since the feature launched. The reason why it’s worded this way is because a web page can contain virtually anything, and some extensions need to read everything on it in order to perform an action based on what the page contains.
For example, an ad blocker needs to read all web page content to identify and remove ad code. A password manager needs to detect and write to username and password fields. A shopping extension might need to read details of the products you’re searching for.
Since these types of extensions wouldn’t know whether any particular web page contains the bit it needs to modify until it’s loaded, and neither does Firefox, it needs access to everything on a page so it can look for and modify the appropriate parts. This means that in theory, while rare, a malicious developer could tell you their extension does one thing while it actually does something else."
Thankfully, most people in this world are honest and upright. Unfortunately, a disingenuous monetary system means sometimes people will be tempted to defraud others.
Thursday 13th September 2018 09:02 GMT Chris Hills
Try typing this password
Edit, el reg does not handle unicode very well...
"The post contains some characters we can’t support"
The original was, as unicode codepoints: U+00F6 U+00BB U+0182 U+0236 U+00AE U+0130 U+014B U+01EC U+1F61B U+0116 U+1F63C U+2601 U+1F633 U+262D U+263E U+0147 U+2628 U+1F62A U+022B U+262C U+2649 U+1F63D U+00CF U+0137
Or in HTML escaped: ö»Ƃȶ®İŋǬ😛Ė😼☁😳☭☾Ň☨😪ȫ☬♉😽Ïķ
Thursday 13th September 2018 09:32 GMT Anonymous Coward
Banks - Can't live with them / Can't live without them
Here's a shout out to Allied-Irish-Bank for any passing Hacker. Max Password length is 5 numbers of which 3 must be entered at any one time.
Who needs a password manager!!! On another banking site CTRL-C / CTRL-V is disabled but right-click paste works. Block it right or don't bother!
Thursday 13th September 2018 16:20 GMT Cavanuk
Thursday 4th October 2018 00:41 GMT Anonymous Coward
Maximum password lengths are an absolute pain and serve no purpose. Since they'll be hashing them anyway (RIGHT?) then the length doesn't actually make any difference to them.
Having said that, I did come across a domain registrar who stored passwords in plaintext...though they never admitted it, they did ask me to email them several characters from my password so they could verify it was me...how would they know?
Thursday 13th September 2018 17:43 GMT rebelcode
British Gas and E-bay do this too
British Gas allow you to paste a new password in but to confirm it you have to type it in. An email discussion with them confirm that's by design too. Ebay also don't allow pasting of passwords when setting your password, and email conversation with them shows that's deliberate as well.
I know that it's not exactly the same subject but there are also websites that have really stupid password policies. The most immediate one that comes to mind is Lambeth Council where a password now must be no longer than 8 characters, whereas about 4 years ago you could have up to 16 characters. Email conversations with them over the years shows a worrying lack of understanding abotu password security. On the plus side you can paste passwords
Thursday 13th September 2018 18:28 GMT csimon
Capital One have an odd view of security, so much so I recently stubbornly cancelled my long-standing credit card with them after they stubbornly refused to admit they'd dropped the ball. They'd brought their outsourced customer portal in-house therefore it had been rewritten and required everyone to set up their account again. But they forced two-factor authentication via SMS to activate it, where the one-time code expires after 10 minutes. I live in an area where there is no mobile reception, so there was actually no way I could activate the new portal, while sat at home. I couldn't drive up the road to where there is a signal in order to receive the code because by the time I got back it would have expired. I tried to contact them, which was difficult as there were no contact details or help info on the registration page and you have to go through hoops to contact them, but their only reply was to use someone else's computer to register, where there will be mobile reception. Using an unknown network/computer is aginst their own secutiy advice, and SMS TFA is now starting to be considered insecure anyway. For a bank that is supposed to take security seriously, they don't instil any trust that they actually know what they're doing.
Friday 14th September 2018 13:01 GMT Drew Scriver
SMS auth for poor/no mobile coverage
I too live in an area with poor cell phone reception, which does pose a problem for MFA. Although I wished more companies would add U2F keys (or even old-fashioned fobs), I have found that getting a Google Voice number works in most cases since SMS messages are forwarded via e-mail.
Thursday 13th September 2018 18:28 GMT Anonymous Coward
Three random words written down ?
But what I recommend to family and friends is to go down the three random words (UK govt campaign?) route and write them down. WAIT...
AND have a short random and easy to remember string (first letters of a line of a song perhaps) which you don't write down and which forms the fourth word. So 'Mary had a little lamb' becomes Mha1l and goes on the end of every password.
It's much easier to read three words off the page than 16 random punctuation symbols and I'm afraid most people can't be bothered with a password safe anyway. So this encourages a long and secure password,which is easy to type in, but also simple to vary between sites.
Of course you have to keep the secure bit secure. A song is easy to remember but a password safe is a fallback.
I think this meets the 'horse battery correct staple' test but would someone like to take it apart for me ?
(And personally I never type a bank password in original character order. Type, move cursor with mouse, type some more, repeat. Doesn't stop MITM but makes the keylogger route a leeeeetle harder. Sadly mobile apps seem to be blocking this nowadays and wiping the field completely if you leave it.)
Thursday 13th September 2018 18:46 GMT hellwig
Everytime I log into Capital One, they require a security code. They will email it to me, text me, or send it through their phone app. I end up closing my computer's web browser and using the phone app for everything (they still text or email a security code, but now it's at least only one device I'm working with).
I guess my point is, I don't need a 30 character password on my Capital One account, I just need to make sure my eMail and Phone are as secure as can be.
Thursday 13th September 2018 21:20 GMT dougkiwi
Terms and Conditions might be the real enemy
Seriously. Some banks, like one near me, have it in their Terms and Conditions that online account passwords must never be written or stored ... which means no very complex passwords and no password managers. Not sure if they hard-limit or truncate ... wouldn't that be funny? No correcthorsebatterystaple then.
So even if they allow pasting, if you have any issue with fraud and they find out you used a password manager, they will be legally entitled to put the entire cost on you.
Banks and PCI DSS are becoming part of the problem, with archaic security approaches.
Thursday 13th September 2018 23:50 GMT Crazy Operations Guy
I miss my old bank
I used to sue a local credit union that was founded by a bunch of employees of a computer security firm, unfortunately they got bought out by some regional crap bank that in turn got acquired by Capital One. But, in any case, they didn't fuck around with passwords, rather they just used smart cards and gave away the readers to whoever needed one (The employees would have one anyway). You could create your certs if you had the know-how and they'd just sign add it to your account login. Multiple certs could be placed on a card and each could be restricted to certain functions.
This was a small credit union that held, maybe, $2mil in assets, and in 1998. How is it that 20 years later, they are still ore secure than the vast majority of banks, especially those that are sitting on a trillion+ USD in their vaults?