Websites, Please Stop Blocking Password Managers. It’s 2015
Jul 26, 2015 8:31:56 GMT -6
Nugget, Daitengu, and 2 more like this
Post by Deleted on Jul 26, 2015 8:31:56 GMT -6
Yes I say! Stop with the forced security and ham fisted attempts to save us from ourselves! (We don't want it..really!)
This is one of two major problems, actually.... I'll get to the other one, last.
(sigh) .... Yes, it is a way to block automated password crackers. There are far BETTER ways, and sites I work on employ other measures that don't screw with users directly...but end the issue just as effectively, if not more so. Password security isn't the issue in most cases, anyway. The big hacks and worthwhile attacks are coming from inside weaknesses and highly skilled action. Pasting a password is a move to stop children from playing with scripts made for them to learn with, while making secure passwords about impossible to use.
There is also the fact that, even when an attack WOULD use the method this is meant to stop? It just does't work...
Source
When security professionals stop writing their tools to the moving target of intelligent opposition? They make problems where there may not have even been any to make. In this case, it is forcing someone to drop the idea of long, mixed and gibberish type passwords (the best ones to use) for ones you can remember or..worse..write down somewhere convenient for you (and everyone else who may care to know).
---
The other major issue I see and want to mention while the topic is here, are the ignorant policies in place to force password changes. I want to make a statement here..and it'll shock some people, but the truth normally does in life. I've used the same 3 rotating passwords for non-critical things for over 15 years. By non-critical, I mean things that wouldn't cost life or serious loss of property if a hack were to occur on whatever system I'm a part of. In those higher and more important cases? I'll be straight here and show people exactly what I use for password format in critical things. I assure you...seeing it won't help anyone, in any way.
One password I recently rotated off from was "dVSc205EVzB0e840UCjO". Another which is further down my rotation list, and will now be marked off as used was "YMNyMBpimL2vM8GZ8UCX". Even there, I've left off one detail from each, that define the list I randomly generate occasionally. That is what gets used on critical things...but normal daily life??
.....When one is forced by time or other arbitrary measure to change a key security factor like a password? It forces the change to something either written down or memorized EASILY...which is precisely what a password SHOULD NEVER BE. If you can remember it before you've used it several times? Its a crappy password. Just sayin'...
So, there are my two cents on the topic of security as well as Wired's take on the issue of sites removing your option to even use Password Management software.
** As a side note..I DO recommend password managers..but I also recommend you work at it and do your own homework. You're handing the keys to YOUR kingdom (however rich or poor, large or small it may be) to another entity by choice...so that better be a company without trust issues or you'll get all the sympathy of watching someone jump off a bridge. Having said that? Finding a good one can make VERY secure net surfing an afterthought you need not give serious time or effort toward, once it is established.
Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.
This is one of two major problems, actually.... I'll get to the other one, last.
So why do companies deliberately stop users from copying and pasting their passwords? A representative from PayPal told WIRED that “Disabling this function is a proven way to prevent some forms of malware. We regret any inconvenience this may cause, however the safety and security of our customers is our top priority.”
(sigh) .... Yes, it is a way to block automated password crackers. There are far BETTER ways, and sites I work on employ other measures that don't screw with users directly...but end the issue just as effectively, if not more so. Password security isn't the issue in most cases, anyway. The big hacks and worthwhile attacks are coming from inside weaknesses and highly skilled action. Pasting a password is a move to stop children from playing with scripts made for them to learn with, while making secure passwords about impossible to use.
There is also the fact that, even when an attack WOULD use the method this is meant to stop? It just does't work...
But accounts aren’t broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
When security professionals stop writing their tools to the moving target of intelligent opposition? They make problems where there may not have even been any to make. In this case, it is forcing someone to drop the idea of long, mixed and gibberish type passwords (the best ones to use) for ones you can remember or..worse..write down somewhere convenient for you (and everyone else who may care to know).
---
The other major issue I see and want to mention while the topic is here, are the ignorant policies in place to force password changes. I want to make a statement here..and it'll shock some people, but the truth normally does in life. I've used the same 3 rotating passwords for non-critical things for over 15 years. By non-critical, I mean things that wouldn't cost life or serious loss of property if a hack were to occur on whatever system I'm a part of. In those higher and more important cases? I'll be straight here and show people exactly what I use for password format in critical things. I assure you...seeing it won't help anyone, in any way.
One password I recently rotated off from was "dVSc205EVzB0e840UCjO". Another which is further down my rotation list, and will now be marked off as used was "YMNyMBpimL2vM8GZ8UCX". Even there, I've left off one detail from each, that define the list I randomly generate occasionally. That is what gets used on critical things...but normal daily life??
.....When one is forced by time or other arbitrary measure to change a key security factor like a password? It forces the change to something either written down or memorized EASILY...which is precisely what a password SHOULD NEVER BE. If you can remember it before you've used it several times? Its a crappy password. Just sayin'...
So, there are my two cents on the topic of security as well as Wired's take on the issue of sites removing your option to even use Password Management software.
** As a side note..I DO recommend password managers..but I also recommend you work at it and do your own homework. You're handing the keys to YOUR kingdom (however rich or poor, large or small it may be) to another entity by choice...so that better be a company without trust issues or you'll get all the sympathy of watching someone jump off a bridge. Having said that? Finding a good one can make VERY secure net surfing an afterthought you need not give serious time or effort toward, once it is established.