Websites, Please Stop Blocking Password Managers. It's 2015

Companies are taking away one of the best security measures we have.
GettyImages160484683
Key in a lockGetty Images

Rather than fancy zero-day exploits, or cutting-edge malware, what you mostly need to worry about when it comes to security is using strong, unique passwords on all the sites and services you visit.

You know that. But what’s crazy is that, in 2015, some websites are intentionally disabling a feature that would allow you to use stronger passwords more easily—and many are doing so because they wrongly argue it makes you safer.

Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.

Typically, a password manager will generate a long, complex, and—most importantly—unique password, and then store it in an encrypted fashion on either your computer or a remote service. All you have to do is remember one password to enter all of your others. In essence, the task of remembering dozens of passwords is relegated to the manager, meaning that you don’t have to deploy that same, easy to remember password on multiple sites.

This week a customer called out T-Mobile for blocking their password manager. WIRED confirmed on Thursday that it was not possible to paste text into the create password field on the T-Mobile site. T-Mobile got in touch on Sunday to say the problem had now been patched.1

Jai Ferguson, a spokesman for T-Mobile, told WIRED earlier in the week that the company was “aware of the copy/paste issues and are actively working on a fix.” He added that the problem “certainly isn't by design,” despite the HTML code used on the web-page explicitly prohibiting users from pasting into the password field.

Another customer complained that the German site for Barclaycard prevented pasting. Again, WIRED checked that this was the case. WIRED also confirmed that it was not possible to paste passwords in the registration section of the Western Union website.

The list goes on, and several people complained this month that PayPal was presenting a similar problem when users tried to change their password.

The Curse of Good Intentions

So why do companies deliberately stop users from copying and pasting their passwords? A representative from PayPal told WIRED that “Disabling this function is a proven way to prevent some forms of malware. We regret any inconvenience this may cause, however the safety and security of our customers is our top priority.”

But, as pointed out by Troy Hunt, a Microsoft MVP for Developer Security, on his website, “the irony of this position is that [it] makes the assumption that a compromised machine may be at risk of its clipboard being accessed but not its keystrokes. Why pull the password from memory for the small portion of people that elect to use a password manager when you can just grab the keystrokes with malware?”

As for Barclaycard, a representative told WIRED in an email that disabling the pasting of passwords “is a security feature in order to prevent password phishing and brute force attacks.”

But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.

Finally Western Union didn’t really provide any justification at all, and vaguely said that the procedure was carried out “in order to reduce risks when WU.com is accessed from home or multi-user environments.”

Although the companies may think they are helping their customers, the arguments for stopping users pasting their passwords are pretty weak overall.

“Companies constantly interrupt password managers, as they falsely believe they're improving the situation by forcing people to actually type passwords in,” Joe Seigrist, the CEO of LastPass, a password manager company, told WIRED in an email. (It’s important to point out that LastPass itself was hacked earlier in the year.)

But, what is more worrying is that when password managers are blocked on websites, a user might be more likely to just enter in a garbage, previously memorized password that has been used somewhere else.

“This all but forces people to use weak passwords that they can consistently and easily type. This also makes it much more likely a password will be reused,” Seigrist continued.

This is a problem because, time and time again, it is reused passwords that often lead to customers' accounts being compromised, rather than any giant, sexy hack of a company. When Uber accounts were found for sale on the dark web, they had been accessed because customers had used the same password on other services. As pointed out by security company Symantec, this was also the problem when Starbucks Card Holder accounts were drained of their finances.

Earlier this month, British Gas was also jumped on for not letting users paste their passwords. In fact, the company went so far as to say that “as a business we've chosen not to have the compatibility with password managers.”

The motivation was, at least in part, to stop its customers from accidentally setting up password that they hadn’t actually memorized.

Unfortunately, this makes the process of registering a unique password generated from a manager—which will, assuming the password manager itself doesn’t have problems, make a user’s account more secure—that much harder for the normal user. Presumably, British Gas realised this, because, after an outcry from a handful of security experts, the company changed its policy altogether.

Some managers can bypass these pasting restrictions in certain circumstances, and there are technical work-arounds to paste passwords onto sites that don't allow it. But those solutions are not going to be used by the everyday Internet user.

And besides, it looks like not many non-technical people use password managers anyway. In research presented this week at the Symposium on Usable Privacy and Security, a survey found that only 24 percent of “non-experts” used password managers, compared to 73 percent of the security experts asked.

It’s unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason. Sure, password managers are not perfect, but they are much better than reusing old memorized passwords. Companies should not only embrace password managers, but actively encourage their use.

Update on 7/26/15 at 1:41 p.m.: Added comments from T-Mobile alerting WIRED to the fact that the problem had been fixed on T-Mobile's site.

More Ways To Stay Safe