Most active commenters

    ←back to thread

    Apple Passwords’ generated strong password format

    (rmondello.com)
    430 points tambourine_man | 23 comments | 18 Oct 24 11:12 UTC | HN request time: 0.001s | source | bottom
    Show context
    calgoo ◴[18 Oct 24 13:17 UTC] No.41879171[source]
    I always liked the 1Password word passwords… you select the number of words and it generates each word in upper OR lowercase, and connect them with symbols or numbers. Easy to memorize, and better then keepass or others that use more fixed formats: same characters between words and words are just in title format where the first letter is upper case and rest is lowercase.
    replies(5): >>41879306 #>>41879343 #>>41879408 #>>41879433 #>>41879512 #
    jorvi ◴[18 Oct 24 13:42 UTC] No.41879408[source]
    The problem is that many sites still use archaic password rules.

    1Password should by default just always capitalize one word, and add “1” at the end of the memorable password. Since the words are separated by “-“ or “.”, you already hit the “at least one symbol” rule.

    replies(3): >>41879566 #>>41880012 #>>41883980 #
    1. dark-star ◴[18 Oct 24 14:01 UTC] No.41879566[source]
    I especially like sites that disallow pasting into password fields.... Yes, that is apparently a thing, especially for banking or finance related sites (from my experience)
    replies(7): >>41879659 #>>41879830 #>>41880113 #>>41880189 #>>41880542 #>>41881749 #>>41881852 #
    2. yojo ◴[18 Oct 24 14:13 UTC] No.41879659[source]
    For a while, the login for TreasuryDirect (the gov site for buying US bonds) disabled paste and typing! It required you to click out your password on an onscreen keyboard.

    I pity the folks who don’t know how to use dev tools.

    replies(2): >>41879902 #>>41880725 #
    3. nerdjon ◴[18 Oct 24 14:33 UTC] No.41879830[source]
    I despise sites that disallow pasting into fields.

    Banks seem to really like to now allow you to paste direct deposit information, which is insane. I get that they likely are thinking, well we don't want you type it into the first field and copy it into the second.

    But I am copying it right from my bank's website, being forced to type it twice is just going to make it more likely I enter an error and I can guarantee you I am looking at that first field when I am typing the verification one.

    replies(2): >>41880243 #>>41880949 #
    4. commandersaki ◴[18 Oct 24 14:44 UTC] No.41879902[source]
    Good on 'em for doing a complete 180 on that. Bank of Melbourne has stated that using a Password Manager is a violation of their Terms of Service (as people have complained about the non-pasteable/autofill fields).
    replies(1): >>41911262 #
    5. cameronh90 ◴[18 Oct 24 15:07 UTC] No.41880113[source]
    I've been working in finance for 15 years, and the amount of security theatre we're forced to do by various parties is monotonically increasing year by year.

    The way it works is you have a hundred government regulators around the world, full of underpaid bureaucrats straight out of school, who introduce vague, poorly thought out requirements. The consequences of non-compliance often being existential for the business: you can lose your license, your clients, and in some cases, your freedom.

    Next a bunch of lawyer/compliance-y types take those requirements from around the world and try to distil them down to a specific (but onerous) set of controls by interpreting the guidelines cautiously. Obviously all they care about is making sure that if you do get popped, you can claim you did everything in compliance with the regulations and you get to continue trading.

    Often these rules are transitive too, so you need to have some level of certainty that the other parties in your supply chain are also compliant, so independent auditors spring up to provide some third party accreditation. Your CFO sees this purely as a cost and doesn't want to pay much for it, so the pressure is to make this auditing as simple as possible, so their checklists become oriented around things they can easily check to demonstrate compliance with a particular control.

    So some original requirement like "it should not be possible to share passwords between multiple users" ends up being bastardised down the chain until the item on the checklist is "don't allow pasting into the password field". Obviously by this point, everyone's actually forgotten why that checklist item was created, so even if the original requirement disappears, the checklist item lives on, often, forever.

    It's only in rare, high profile circumstances where a previous requirement is explicitly and noisily repudiated that old items tend to disappear. Even then it can take years. I'm still having to fight back auditors asking for mandatory monthly password changes, for example, in a system that uses passkeys...

    6. bruckie ◴[18 Oct 24 15:15 UTC] No.41880189[source]
    I'm a big fan of the "Don't mess with paste" bookmarklet that I got from this thread a while back: https://news.ycombinator.com/item?id=38014653

    One click and I can paste anyway. Nyah nyah nyah nyah nyah nyah.

    replies(1): >>41880917 #
    7. ryandrake ◴[18 Oct 24 15:20 UTC] No.41880243[source]
    Why is this even a allowed by browsers?

    The web developer should not be able to disable pasting. Just like they should not be able to disable autofill, and other features that the user wants and has enabled.

    So many things web sites do that are counter to the user's expectation, where I think to myself: Why even have that lever?

    replies(1): >>41911308 #
    8. ◴[18 Oct 24 15:51 UTC] No.41880542[source]
    9. nytesky ◴[18 Oct 24 16:09 UTC] No.41880725[source]
    You buried the lead there:

    A required on-screen keyboard with RANDOM GENERATED LAYOUT.

    replies(2): >>41902283 #>>41911277 #
    10. kyleee ◴[18 Oct 24 16:26 UTC] No.41880917[source]
    Brave has a ‘force paste’ option in the right click context menu, that way you don’t need an extension. Awesome feature
    replies(1): >>41881934 #
    11. kyleee ◴[18 Oct 24 16:28 UTC] No.41880949[source]
    There is a force paste context menu in brave. Firefox should copy the feature as well, if they still have anyone who works on new features for the browser.
    replies(1): >>41881819 #
    12. graftak ◴[18 Oct 24 17:45 UTC] No.41881749[source]
    A less vicious but similarly dumb ‘ux/security’ measure is when the password being entered only registers after a key event fires while the field is in focus. An event that never occurs with password manager autocomplete, making the user add a random character and then remove it.
    13. ziddoap ◴[18 Oct 24 17:53 UTC] No.41881819{3}[source]
    Firefox has had this feature for a long time.

    Set dom.event.clipboardevents.enabled to false in about:config.

    replies(1): >>41883881 #
    14. benced ◴[18 Oct 24 17:56 UTC] No.41881852[source]
    It's slower but out of spite I usually go into the console and remove the `onpaste="false"` nonsense from their markup.
    15. encom ◴[18 Oct 24 18:06 UTC] No.41881934{3}[source]
    Why is disabling paste even a thing that a website is allowed to do?
    replies(1): >>41882283 #
    16. samatman ◴[18 Oct 24 18:44 UTC] No.41882283{4}[source]
    I'm aware of one case where it's a useful feature: the "type this name to delete" form on GitHub (found elsewhere as well).

    The purpose, which is to make sure the user knows what they're deleting permanently, is defeated if they can copy the end of the URL string and paste it straight in. Adding a bit of friction there is helpful.

    The actual answer to your question is more like "someone thought it was a good idea and now we're stuck with it", though. More browsers should offer a force paste in the context menu, because when said is done, it's my browser, and if I want to do something, I should be able to do it.

    replies(1): >>41882798 #
    17. skydhash ◴[18 Oct 24 19:43 UTC] No.41882798{5}[source]
    > I'm aware of one case where it's a useful feature: the "type this name to delete" form on GitHub

    While I like the dialogue it’s only a step up over a confirmation dialog (forcing you to switch from clicking to typing). So disabling paste don’t add anything to that. I’d rather they have a trash section so I can undelete or force remove the project.

    18. jorvi ◴[18 Oct 24 21:58 UTC] No.41883881{4}[source]
    That is not the same. On Brave it is just a right click and then "force paste".

    Plus, I suspect that setting disables the buttons on sites that copy the entire field to your buffer.

    replies(1): >>41884420 #
    19. ◴[18 Oct 24 23:32 UTC] No.41884420{5}[source]
    20. jakub_g ◴[21 Oct 24 09:35 UTC] No.41902283{3}[source]
    For whomever is interested, IIRC, this requirement of random layout came up in late 2000/early 2010 due to:

    - keyloggers (safer to click instead of type instead -> on-screen keyboard then)

    - but then it turned out Internet Explorer had a bug which allowed attackers to read the mouse click events' X/Y coordinates in other windows which then could be mapped to the on-screen keyboard digits if the layout is predictable

    21. magnetowasright ◴[22 Oct 24 04:43 UTC] No.41911262{3}[source]
    Last time I had the sincere displeasure of having to use bank of Melbourne, their password rules included that you couldn't have repeated letters, so if you were trying to use a passphrase like correct-horse-battery-staple it would not allow the double r in correct or double t in battery. The rest of their password rules were abhorrent like all financial institutions but that one in particular irritated me to no end.
    22. brokenmachine ◴[22 Oct 24 04:46 UTC] No.41911277{3}[source]
    ING Bank Australia still does that.

    And it also makes my laptop's fan spin up for about 5 seconds on the page load or reload. No idea WTF they're doing - cryptomining?

    https://www.ing.com.au/securebanking/

    My password manager appears to type the access code successfully but you can't click on login until you click on the stupid keypad.

    23. brokenmachine ◴[22 Oct 24 04:54 UTC] No.41911308{3}[source]
    It all started with <blink> and it's been downhill ever since.