Code & Bug FixesLife StyleSoftware and Apps

Let them paste passwords!

National Cyber Security Centre recommends that copying passwords enable improve security.

NCSC, a part of GCHQ, of the UK Government; has recommended that people be allowed to copy-paste their passwords. 


Most websites, including banks, prevent users from pasting a password. Most people find it utterly annoying, and for years now; nobody has been able to explain exactly how it improves security in anyway.

Researchers at NCSC now believe stoping password pasting (SPP) actually reduces security. They recommend that customers be allowed to paste their passwords into forms, which improves security.

Generally, the justification provided for SPP are:

  1. Password pasting allows brute force attacks

If password pasting is allowed, it represents a vulnerability where malicious software or web-pages could repeatedly paste password guessed into password box until they break your password. But, there are other ways to make guesses (for eg., through API) that are just as easy to setup and much faster at guessing. The direct risk of brute force due to copy paste is negligible.

2.Passwords would be available in the clipboard

When you copy-paste, the content is stored in a ‘clipboard’. Any software on your computer has access to this clipboard, and can access the content in it. Copying any content generally overwrites the previous content.

This too is a negligible risk because:

  • Most such malicious websites obtain access when browsed on IE6. Most people today do not use Internet Explorer.
  • If your computer is infected with malicious code, having access to the clipboard is the last of your worries. Even simple ones could contain a keylogger feature and be tracking your every stroke anyway. They would steal your passwords anyway, so SPP is really helping much.

Although recommending pasting of passwords could be considered an over simplification of the threats involved, most infosec advisors today agree that present day threads are no more single-dimensional attacks like brute-force. Most websites, which work on SSP, have more fundamental flaws on their backend code and routing protocols, which are easy worms to pick for any elements seeking to access their customer database and details.


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *