68
hashedram
50d

Disabling pasting into a password field in 2020 with password managers, is retarded. That's it that's the rant. Doesn't matter if you think password managers are good or not. Its still retarded that there's a 40 something year old dumbfuck manager who told a web designer at EA to disable pasting into a fucking password field because he was dumb enough to think it stopped hackers or some shit like that.

Comments
  • 23
    Lately I've been taking advantage of my password manager... so some of my passwords are 64-character long Unicode strings 🤣 I'd hate to have to type that
  • 11
    @eo2875 I still go with 32 at most because otherwise either I'm lucky it supports up to 32 chars at all and doesn't let me input any more or "accepts" the password up to the limit and just drops everything I input without telling anything.
  • 9
    I think the reason is not hackers but to "protect" the users by patronizing them.
    Still retarded.
  • 11
    ah yes, those "hackers" that just send the POST request through something like Curl :^)
  • 8
    The real scandal is, that you tried to login on an EA site.
    Long gone are the days of the original Electronic Arts which made some of the best games of their time. Today, they are known as the megacorp of gaming - with "megacorp" having a rather dystopian connotation...
  • 2
    @theKarlisk oh damn thanks for the warning
  • 2
    @Oktokolo Well I'm playing Dragon Age 2, which is one of the good old ones.
  • 6
    @hashedram
    That is indeed one of the games i allow you to play.
  • 1
    Take advantage of the autotype feature of KeePass, mate! That'll work everywhere, even on launchers.
  • 2
    @eo2875 I expect that these will get cut down to 32 or less characters by some sites/apps...
  • 1
    From a cyber perspective, this entirely depends on your threat model.
  • 2
    @linuxxx Curious, not arguing...

    Can you explain a threat model where not allowing pasting of a password into a password field would prevent an attack?

    If you're worried about brute-force attacking, limit failed logins or rate limit attempts.

    No?
  • 3
    @JustThat Any third party (or a compromised server) injecting JavaScript which would trigger on 'pasted' data and transmitting this to the attacker. Or stuff similar to this.

    In most cases this won't be an issue but again, when you're facing state actors, I would not want to enable any form of data copying/pasting. Pretty much limiting as much not-directly-under-controp data handling.

    Or simply some data stealing addons working this same way?

    That's how I'd fuck over people using password managers 😄
  • 4
    @linuxxx Would that same code not work as a key logger and pick up anything typed?

    I mean, why limit it to paste actions?

    Also, as stated, some password managers actually type into the field and do not paste.
  • 3
    Dumbass probably read an article and formed an opinion without the knowledge about how things work. See planty of that allover the place. Go, show your users a web page in plain html and tell them that the fancy page they see is an interpretation of that text and some images thrown together. They won't even believe it.
  • 2
    @eo2875 i once set my windows password to be the first paragraph from a short story i wrote.

    it was a bit annoying to log in.
  • 1
    I had such experience with some "enterprise" software, every time it got me, and the annoyance followed
  • -1
    @Oktokolo & @hashedram
    Pls don't hijack.
  • -1
    @hashedram & @eo2875 & @theKarlisK @linuxxx

    What about going passwordless?
Add Comment