The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
I encountered that a couple of months ago on a major bank website. The irony was that the PW set fields allowed it, so I dumped a random KeePass-generated PW in and then had to manually enter that bastard when I wanted to log in. Fortunately I figured out pretty fast that Chrome would override that with ctrl-v.
I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts rather than something they would actually do, like edited packet replays.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
I can only think that some fool assumes that hackers would use their web interface to attempt to brute-force accounts
I was recently on a gov't web site (related to student loans) which also blocked the paste field.
It is so annoying and actually shows that the person who created the thing doesn't understand how password hacks are done.
So, again, these sites actually punish you for having a more complex (and longer) password which is very difficult to type.
There is no point to have a Confirm password box if you can copy and paste the main password box... as an error in the first one would be duplicated in the second one.
The purpose of the Confirm box is to ensure that you are able to write the same thing twice which is really a good thing as if you are not able to do that when you register, then how hard would it be to type the password when you login the next time?
Well, at least it should not be possible to copy or cut a password...
Only pasting them might be a good compromise for those who trust passwords managers...
That way, you have the main advantage of making harder to users to manually copy one field to another while filling the form (those preventing mistyping to be permanent) while allowing pasting from other sources...
Consider also, typing your password on your phone or device. It's quite terrible to have to do it if yo have a long / complex password. I believe apps and sites should allow paste always. Doing otherwise encourages users to use easy-to-type passwords which are most likely weak.
Well, say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site...
Thus, there are way that improve security for computer power users that are not real hacker or not even programmers...
say that you find a password.txt file on someone else computer and it has about 10 passwords in it... It is not hard to imagine that some peoples might be tempted to try to copy and paste those passwords in some site...
Or they may even type them in.
I wanna be a eunuchs developer! Pass me a bread knife!
Is there something that I'm missing here or is it simply a case of a dev team making some really, really bad UX decisions?
They probably wanted to avoid looking 'careless' and went overboard with being 'correct'.
Requiring the password to be entered and repeated manually can avoid (a little) trouble by making certain that the user was actually able to type the the password twice without error. Also, as I only rarely register at some sites at all, it might be the perfect method to mske me think again about registering.
"I don't know, extraterrestrial?"
"You mean like from space?"
"No, from Canada."
If software development were a circus, we would all be the clowns.
Probably just bad UX decision.
It is apparent some people consider it good security.
Perhaps even the management/design team/customer that ordered that web site thought it so and insisted to be so.
Or maybe it was just the work of an intern new developer...