Every few days on 'Infosec Twitter', I come across another example of a site that breaks password manager functionality by disabling the ability to paste into the password field. Generally, customer service representatives for those sites will vaguely explain that this is being done for "security reasons" - despite the fact that current best practices recommend the very password managers that this is disabling. Why are two different communities citing "security reasons" to justify opposite actions?
First, current security best practices absolutely endorse having the ability to paste passwords; in fact, this is a core requirement for the use of password managers. Using password managers is also considered to be a best practice because they encourage better user password hygiene. They typically allow users to generate long, complex passwords and make it much easier for users to change their passwords on a regular basis. Most importantly, password managers help mitigate the extremely common problem of password reuse. By encouraging and enabling users to use strong, unique passwords for every site, there is less possibility that a password compromised by a website breach could be used to gain access to your information on another site.
Password managers thus help secure the sites that allow them to be used – providing protection from both their own users, who historically choose weak credentials when forced to memorize them, and from the users' other accounts on other sites that might have been breached.
If this functionality offers so many benefits, why would any site want to disable password managers?
In some cases, this decision may be based on outdated ideas about security risks. Some developers may be concerned about phishers stealing credentials and then pasting them into genuine forms to steal logins; others may be concerned about cross-site scripting (XSS) attacks; still others may be concerned about UX issues related to differing character sets or extraneous spaces being pasted into forms.
However, security is a constantly evolving target, and while these issues may have been relevant once, the landscape has changed greatly over the past several years.
First, the danger associated with users pasting credentials into phishing sites is somewhat outdated. The rationale appears to have been that in the time it takes users to remember and manually input a password, they also have a chance to consider the legitimacy of a site and recognize fakes. However, this concern is mitigated by the now-standard practice of password manager use - if a user is on a site that isn't the legitimate one, the manager won’t put the password into the form to begin with. Such an occurrence should send a flag to the user that something isn't right, and thus, the password manager can help prevent that kind of phishing.
Next, the dangers posed by XSS (cross-site scripting) are certainly concerning, since a site vulnerable to XSS could end up with a fraudulent form 'overlaid' over the legitimate form, thus allowing external parties to collect credentials. Fortunately, excellent resources like the XSS Prevention Cheat Sheet can help site developers ensure that their sites will not be vulnerable to these kinds of attacks. Preventing XSS attacks is entirely within a site owner's control, so implementing measures to prevent such attacks is a strategy that will pay far better dividends than trying to prevent users from using password managers.
UX issues have also been cited as another motivation for preventing password pastes. The specific rationale is that encoding issues between the way a user stores their password in a file and how the form expects to see it might result in a mangled entry, which would then result in a bad user experience. However, this concern is also negated by the implementations of modern password managers, as the encoding used when storing passwords is necessarily consistent within the browser environment. There is little chance that user experience will be negatively impacted by the password paste experience, and thus, password manager use should remain a best practice.
Ultimately, holding on to outdated security ideas provides very little benefit to users and can negatively impact both user security and site security. Even worse, such ideas can actually mistrain users to develop bad habits that could harm them and the sites that they participate on. If you take steps to prevent password pasting, you help bring back the old habits of password reuse and the use of weak passwords that are easy to remember - habits that we in the security industry have worked hard to try to break. Allowing password managers for your sites will help us keep people safer and support our efforts to train users into more secure password habits.
About the Author
Eric is a consultant at Brown Hat Security. Please follow Eric on Twitter.