• nucleative@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    4 days ago

    My bank uses a TOTP and they not only block paste, they also block all typing. Instead they popup a modal with a 0-9 digit keypand and the location of each number changes every time.

    Effing obnoxious.

    • Shapillon@lemmy.world
      link
      fedilink
      arrow-up
      9
      arrow-down
      3
      ·
      edit-2
      3 days ago

      That’s a security standard preventing keyloggers from guessing your credentials.

      • cm0002@lemmy.worldOP
        link
        fedilink
        arrow-up
        11
        ·
        3 days ago

        That’s a security standard theater pretending to preventing keyloggers from guessing your credentials.

        FTFY

      • nucleative@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        3 days ago

        The TOTP changes every time. For modern totp hashing I’m not sure how many sequential codes a keylogger would need but I’m guessing more than I will ever enter.

        Edit, asked ai for an answer to that because I was curious (maybe it’s right):

        Start AI

        That being said, if an attacker were able to collect a large number of TOTP codes, they might be able to launch a brute-force attack to try to guess the private key. However, this would require an enormous amount of computational power and time.

        To give you an idea of the scale, let’s consider the following:

        Assume an attacker collects 1000 TOTP codes, each 6 digits long (a common length for TOTP codes).
        Assume the private key is 128 bits long (a common length for cryptographic keys).
        Assume the attacker uses a powerful computer that can perform 1 billion computations per second.
        

        Using a brute-force attack, the attacker would need to try approximately 2^128 (3.4 x 10^38) possible private keys to guess the correct one. Even with a powerful computer, this would take an enormous amount of time - on the order of billions of years.

      • cm0002@lemmy.worldOP
        link
        fedilink
        arrow-up
        5
        ·
        4 days ago

        Lmao I was just about to comment, their bank must have hired a UX designer from Jagex lol

    • Stovetop@lemmy.world
      link
      fedilink
      arrow-up
      84
      ·
      5 days ago

      You can’t copy our JPEGs! That’s stealing! If you want to look at these JPEGs whenever you want, you need to register for an account and tag your favorites so we can monitor your viewing habits and sell your personality profile to advertisers and government entities!

    • 50MYT@lemmy.world
      link
      fedilink
      arrow-up
      16
      ·
      5 days ago

      Or training videos that pause if the window playing the video is not the last thing clicked on.

  • __init__@programming.dev
    link
    fedilink
    arrow-up
    54
    ·
    5 days ago

    I ran into this when trying to paste my generated password into the password field on some kind of financial site and I think it is still the most egregious case of security theater I’ve seen yet.

    Anyway, you want the “don’t fuck with paste” extension, available on both chrome and firefox.

    • maccentric@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      42
      ·
      edit-2
      4 days ago

      You don’t need this - In about:config, set dom.event.clipboardevents.enabled to false. No Addon needed.

      • __init__@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        4 days ago

        Nice, didn’t know about that one. I imagine there are side effects to disabling it globally though? Those goofy OTP code inputs implemented as six single digit inputs jumps to mind, they probably rely on the paste event. The extension works similarly but lets you only enable it for problematic sites.

        • brygphilomena@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          4 days ago

          I have an auto hotkey script that I always have running. It just takes my clipboard and sends the key presses to type it in when I press Ctrl + shift + v.

          It gets me around most of this sort of bullshit.

        • maccentric@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          4 days ago

          I just found it recently when DFWP failed to allow me to paste on a site (which happens quite often in my experience). I had the same thoughts about this setting but so far I haven’t noticed anything. I keep it open in a tab in case I need to toggle it though.

    • JasonDJ@lemmy.zip
      link
      fedilink
      arrow-up
      2
      ·
      4 days ago

      Yep. It’s always when I’m adding a payment method to like a credit card or something.

      The ones that are web-based and block password vault auto fill…on desktop…those really grind my gears.

      Also, is it me, or is android really bad about detecting when something is a username/password field and the vault auto fill should be suggested

  • layzerjeyt@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    14
    ·
    4 days ago

    My impression from when I’ve encountered this is that it is an attempt to repel bots.

    Speculating/knowing about the reason doesn’t help when I’m confronted with having to input the password *6mA*P7CCuVyHo8kh%x34!63wm23&uhzSMY3Xy3$*8^%7j$VeH^7

    • nucleative@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      4 days ago

      Bots don’t paste. If it a selenium related bot it would inject the value or type out each keypress.

      It only causes real users pain

    • MouldyCat@feddit.uk
      link
      fedilink
      English
      arrow-up
      12
      ·
      4 days ago

      My impression from when I’ve encountered this is that it is an attempt to repel bots.

      hmm bots don’t use keyboard or mouse copy & paste so I don’t see how that makes sense?

      my impression is this is just stupid product managers who don’t understand why it’s a bad idea to force all your users to manually type out their passwords or email addresses just because of the 0.1% of people who would copy and paste one with an error in.

    • JasonDJ@lemmy.zip
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      4 days ago

      Weird, that’s one character off from my Paramount+ password. I know from typing it on every fucking STB and console that I own and painstakingly quadruple-checking each character when it fails.

      You’d think I’d just change to a passphrase but nah. Ain’t nobody got time for that. Too busy ranting about user unfriendly problems that shouldn’t exist in modern STB apps.

  • Laurel Raven@lemmy.zip
    link
    fedilink
    English
    arrow-up
    11
    ·
    4 days ago

    Let’s be real, though, it’s not the dev we should be mad at but some suit who thinks they know security demanding it be done that way

    • Dagwood222@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      3 days ago

      Most of the problems in the modern world could be solved if the front line people could to each other directly.

      Suits are the bottleneck.

  • Alexstarfire@lemmy.world
    link
    fedilink
    arrow-up
    34
    arrow-down
    9
    ·
    5 days ago

    TBF, I kind of get it. If someone is using a public computer you wouldn’t want someone to be able to sign into a site they left open because they copied their password.

    However, this won’t prevent anyone from copying the password into something like notepad and just typing it out. So in the end, it’s useless and makes things less user friendly. Which is what I expect these days.

    • hikaru755@lemmy.world
      link
      fedilink
      arrow-up
      21
      ·
      5 days ago

      I suspect the reasoning for it was more along the lines of “if you’re pasting the password, that means you probably saved it in a text file on your desktop or something, and you shouldn’t do that so let’s stop you from doing it”. In reality, it probably didn’t work to make anyone store passwords more securely, and only made life unnecessarily harder for people with password managers

    • Kairos@lemmy.today
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      4 days ago
      1. User pastes something into site
      2. data still pasted as normal
      3. JScript event clears clipboard and tells user that their clipboard was safely cleared.

      Literally just as secure and better behavior. Just use your brain for a few seconds.

      Edit: Actually it’s MORE secure because disallowing paste leaves the password or whatever in the clipboard without the user necessarily realizing it…

    • Honytawk@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 days ago

      Public computers should just have their pastebin locked.

      They shouldn’t mess with things on my personal computer.

      • AwkwardLookMonkeyPuppet@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        4 days ago

        No they shouldn’t. They should require a guest account that clears the session on logout. If you fail to log out when you’re finished, well, mistakes have consequences. I’m tired of being handcuffed so incompetent people can have their hands held.

  • Dagnet@lemmy.world
    link
    fedilink
    arrow-up
    17
    ·
    5 days ago

    Came here hoping someone would explain how to use dev tools to remove that block or if there an addon for that, really hate this kind of restriction

    • taaz@biglemmowski.win
      link
      fedilink
      English
      arrow-up
      10
      ·
      5 days ago

      Firefox often let’s you bypass this shit with holding shift + right click or select the text you want to paste and drag and drop it into the field.

      • Dagnet@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        5 days ago

        Man, that extension fucked with my Vivaldi. I couldnt send msgs on Twitch, couldnt delete cells on GoogleSheets and spent like an hour trying to figure out what caused it. Not worth the trouble tbh

        • morrowind@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          5 days ago

          Also on vivaldi, I now have three extensions that destroy half the pages on the web (and save the other half). With a little bit of whitelisting or just temporarily enabling, they work fine.

    • ADTJ@feddit.uk
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      4 days ago

      if you don’t want to or can’t use extensions, just right click > inspect on the password field, then right click the element highlighted in the HTML and click “use in console” or “store in global variable” depending on browser

      it’ll put something like

      temp0 into the console

      just change that line to

      temp0.value = "yourpassword"
      ```  and press enter
      
      it sounds verbose to explain but it's just a couple of clicks and one command, if you're using a password manager it's still a lot easier than typing out a random string and it should work with most text boxes and inputs, might not work if the page is doing something fancy.
      
    • brbposting@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 days ago

      On macOS:

      Love that Keyboard Maestro has an “Insert Text By Typing” feature/macro where text streams from your cursor :)

  • Beacon@fedia.io
    link
    fedilink
    arrow-up
    15
    ·
    5 days ago

    You can sometimes do it anyway by right clicking (or long hold tap) on the text field to get a contextual menu popup

    • cm0002@lemmy.worldOP
      link
      fedilink
      arrow-up
      19
      ·
      5 days ago

      They’ve started blocking that too on phones, which is what led to this meme lol. Curiously, GBoard has a little button on the top row that shows for freshly copied text when you go into a text field that still works, GBoard must not send the text as a paste when it’s done that way. But its only visible once

      • PoolloverNathan@programming.dev
        link
        fedilink
        arrow-up
        2
        ·
        5 days ago

        Unexpected Keyboard has a similar optional key — which website are you using with this behavior? I wonder if pasting from it would trigger the detection. Also, it lets you bind strings to keys — I wonder if that would act in a similar manner.

        • cm0002@lemmy.worldOP
          link
          fedilink
          arrow-up
          1
          ·
          5 days ago

          So far, it’s worked wherever Ive encountered the “advanced” paste blocking. Just recently, my bank loan payment form has done this that I needed to use the “last resort” option lmao

    • cm0002@lemmy.worldOP
      link
      fedilink
      arrow-up
      4
      ·
      4 days ago

      Lol yea the comic artist needs to come up with a follow-up 4panel with extra-extra-hell lmao

    • A7thStone@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      4 days ago

      If you are using Voyager you can hold down on the comment or hit the three dot button and you’ll get a menu that gives you a “select text” option. I was annoyed by that until I found it.

        • ChaoticNeutralCzech@feddit.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          4 days ago

          You actually have multiple options. They all work for posts and comments.

          • ⋮ / View Source
          • Reply (above the text field, the source of the parent post/comment is visible and selectable)
          • ⋮ / Copy / Copy Comment Text (for a copy-all operation, obviously; you caan also copy permalinks, post titles and URLs)

          How did you not notice? Also, it’s expected behavior that you can’t just copy text from the comment view, and making ot work with rendered Markdown would be difficult.

            • ChaoticNeutralCzech@feddit.org
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 days ago

              They might be new to Lemmy, the account is less than 2 weeks old… but I always snoop around the options of apps soon after I install them. My phone can’t send an ICBM launch order so it’s usually fine but I don’t know about theirs.

              • Victor@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                4 days ago

                I always snoop around the options of apps soon after I install them

                I’m the same. Always looking to get the full experience out of stuff I use.

                My phone can’t send an ICBM launch order so it’s usually fine but I don’t know about theirs.

                lol what, is this a thing?

          • big_fat_fluffy@leminal.space
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            3 days ago

            Those are rather awkward options. Standard functionaliy is preferable, even with loss of markdown.

            I think it’s a detail that the dev just hasn’t yet addressed.

            • ChaoticNeutralCzech@feddit.org
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 days ago

              This is not standard functionality, dude. Very few Android apps make comments etc. selectable in the default view.

              Most people prefer swipe gestures and hold-for-context-menu, and Markdown rendering is important. Have you tried to follow a table in non-rendered MD?

              • big_fat_fluffy@leminal.space
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                3 days ago

                I think that tap-hold to select text and raise context menu is a function of every text-using app I’ve got.

                • ChaoticNeutralCzech@feddit.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  3 days ago

                  Well, looks like there is a lot of apps you are not using. For example, Messaging. Or any of the non-browser YouTube clients on Android (RVX, NewPipe, Grayjay).