Bank-grade Security or Why Blocking Password Pasting is not a Good Security Strategy

Bank-grade Security or Why Blocking Password Pasting is not a Good Security Strategy

Your friend creates a website. You are curious and you ask him: “is it secure?”, which, in your mind, probably means “did you secure your website to the best of your abilities?” and your friend replies: “Yes, it has bank-grade security”. Oh, “bank grade security”, damn! That means it’s very secure!

Before you intervene, I am by no ways stating that banking websites are insecure – I am interested in how banks and other financial institutions deal with passwords though. The reasons for that should become apparent in a moment.

Let’s start with a German bank just for a change of flavour. Here’s how their login page looks like:

Just a simple login page, nothing unusual. For a second, let’s imagine that I am a customer and want to log in to my banking account – I provide a username and paste a password generated by a password manager:

Except that I don’t see a password: it seems that I am not able to paste! Let’s take a look at the source code of the page:

Wait – what? The bank enforces a maximum password length of sixteen characters too? This stuff is just not on. There’s plenty of banks and other institutions out there that block users the ability to paste passwords, but why do they do it? Well, according to them, it’s for your own good.

“But.. security!”

Here are some thoughts of some of the institutions out there:

Here’s the thing: disallowing password pasting does nothing to improve security. Actually, it’s the other way around: it makes the whole thing even worse! You disallowed me to paste my 30 (or even 50) character password into your login form. Typing it out is very painful, but that’s the only option I have..

Why do some organizations knowingly prevent users from pasting their passwords you ask? The most frequent response you will find is “security reasons”. That’s madness! Once passwords are stored, the hash of a 20-character password is the same length as the hash of a 50-character password. I sincerely hope that the websites who are enforcing maximum password lengths are actually hashing the passwords..

Here’s some more reasons why some companies opt to disable password pasting:

“Disabling the pasting of passwords is a security feature in order to prevent password phishing and brute force attacks.”

“Disabling this function is a proven way to prevent some forms of malware.”

Wait – so keystrokes are allowed, but pasting from the clipboard is blocked because that’s “a proven way to prevent some forms of malware”?! This statement makes the assumption that if a computer is compromised, an attacker could access the clipboard. The thing is, if a machine is compromised, the nefarious party is probably more interested in its keystrokes – why would the attacker assume a victim would belong to a relatively small group of people using password managers and steal the password from the clipboard when he could just utilize a keylogger? Furthermore, disabling password pasting does not stop an attacker from using automated tools in order to gain unauthorized access to a website..

There’s an other way around

Have a look at a login form courtesy of a bank in Finland:

This bank has no “onpaste=return false;” attributes in the code, password limits are not being enforced, password pasting is not being blocked, there are no bad password policies (at least none that’s easily observable by having a look at the code). None. Kudos to them!

Summary

There are reasons why password pasting is being blocked such as it remaining in the clipboard of the user afterwards, but the bottom line is this – there is no huge security benefit to disallowing passwords to be pasted. Allow users to paste passwords – it will allow them to utilize password managers to their full extent and make their online life more secure: that’s so much better than using your dog’s name or a birthday date as a password!