Let Me Paste My Password

An unfortunately common tactic taken by websites in a misguided attempt at security is to prevent pasting a password. The NIST officially recommends against this.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

I ran into this personally a few days ago. An organization I belong to forced a password change. Upon generating my random password, I was unable to paste it into the field. I decided to reach out to the organization, pointing out that this actually encourages worse passwords, not better ones.

Their initial response:

Thanks for reaching out. [Our] decision on updating the password requirements comes from an increase in security requirements. The extended minimum length, mandatory special, upper, lower and number characters, and one year life span increases the complexity and lowers the chance of any breach attempt. We do not allow copy and pasting due for security reasons. Viruses, Malware, and other intrusive programs can copy all data saved to the clipboard for later use. Furthermore, users may by accidentally past their password to their username and save it as auto fill, thus view-able to other programs.

This is always the response. “Security reasons.” Of course neither of the examples they game me make any sense.

  • If you have malware on your computer, it does not need to steal from the clipboard. It can just log keystrokes.
  • Users can accidentally type their password into the wrong field. I have seen this happen. Particularly among users with poor typing skills. They almost never look at the screen.

I raised these objections. The response back:

Thanks for getting back to us. We do not allow copying an pasting passwords upon creating as to mitigate possible typos and for security. Yes as key loggers would most likely be user use on a comprised computer, we still want to mitigate any other possible problems. After creation users who use complex passwords are more than welcome to copy and paste their password on the login page though.

So in order to prevent typos, they require you to type. Um? You know how to guarantee you aren’t making a typo? Copy and Paste!!!

I gave up on the communication at this point. I ended up manually typing my extremely long and complex password into the form. But how many users will do this versus just give up and type out P@ssw0rd1 instead? After all, it meets all of the requirements, and it sure is easy.

If you run a website or service that uses passwords, I beg of you. Read the NIST guidelines. Please help those of us who are trying to teach users good security habits.

Apps for May 2018

I use a ton of apps, and I very frequently move between them. I like trying out new things and knowing what else is out there. So I’m going to do a regular check in on what I am using. These aren’t necessarily recommendations, as I don’t feel I can recommend something without knowing a person’s workflow. But I do think these are worth trying out.

  • Mail: Spark is the only third party mail app I use that is available on both mobile and desktop, has the features I want, and is stable enough for day to day use. Not sure why so few mail apps have integration with other apps and services, but Spark does.
  • Calendar: Fantastical. Nothing beats the natural language entry. I can copy and paste sentences from an email and it figures out the event details.
  • To Do: Things really wowed me with their recent automation release. It’s also beautiful.
  • Notes: Bear is perhaps my favorite new app. So many notes apps are bloated, slow, or ugly. Bear is none of those things. It has great integration with other apps and supports some great automation workflows. Notes are plain text, so you are not locked in.
  • Writing: Ulysses is where I write these very words. A great app for drafting and organizing my blog posts, as well as writing for my day job.
  • Storage: DEVONthink is one of those power user apps that can do almost anything. When I moved from Evernote I sent notes to Bear, and everything else here. It’s my “everything” bucket.
  • Password Manager: 1Password is the longest running app I have ever used. I’ve been on it since the original release. I wouldn’t say you need any apps on this list with one exception. You need this one.
  • Finance: Banktivity has been on my home screen since back when it was called iBank (and on my Mac before the iPhone even existed).
  • RSS: On iOS I use Fiery Feeds, and on the Mac Reeder. Inoreader is my sync engine.
  • Read Later: Pocket won me over as a longtime Instapaper user. I still like Instapaper, but being owned by a social network makes me very nervous. Mozilla owns Pocket, and I trust their motivations more.
  • Podcasts: Pocket Casts is my current daily podcast app. I jump around a lot here. Pocket Casts wins in large part because of Sonos integration. I still love Overcast too, but Pocket Casts checks more boxes. I feel like Pocket Casts gets overlooked because it is also an Android app and many of those on iOS are terrible ports. This one isn’t. It’s a good iOS citizen. I also like the queue management better than Overcast, though not as much as Castro’s.
  • Running: I record with the built in Apple Watch app, because unlike the others I never experience crashes with it. Then I use RunGap to sync it to the services I use.
  • Automation: A combination of Drafts 5 and Workflow. Don’t know what I would do without them.

A Fresh Beginning

I’m hitting the reset button. My old blog was getting stale. I wasn’t updating nearly as often as I wanted to. The old site was a WordPress site. WordPress gets a bad rap, mostly because too many sites get setup and never secured or patched. I was pretty good about that, but it still wasn’t working for me anymore.

WordPress felt heavy. As I tried to make my pageloads faster and my security headers more strict, I was constantly running up against the heaviness of a CMS generated webpage.

So I am trying out Hugo. I like the idea of returning to simple, static pages. I write in Markdown anyway, so why not use a site generator that accepts it natively. I also am using a very lightweight theme that uses no trackers. Simple, secure, and clean.

I’ve also decided not to import the old posts. Most were outdated, and many of the series I wanted to run were never finished. Also, there was a mix of personal and professional on there. Going to stick more toward the professional side here, but still with my own voice.

This allow allows me to do something else I have wanted to do, which is license my writing under Creative Commons. I wasn’t comfortable doing this with personal posts. The new license does not cover the old content. Just this reborn version of the site.

I’m going to try to commit to posting more often, and for those to be more useful. Also I am still in the process of grokking Hugo’s fullness, so there may be some wild changes to the site until I get more comfortable with how it works.