Published on 2024-06-14
A trend that has seen increased adoption in the Web is that of disallowing pasting text in password inputs. In fact, it's a trend that was already mentioned, and condemned, almost a decade ago according to the following WIRED article:
Websites, Please Stop Blocking Password Managers. It's 2015
Banks, experts at adopting bad practices late, have not waited (more than 10 years) to implement the latest trend. Two of the local banks, of which I'm a client, already restrict pasting my 30-character long, high entropy password from my password manager. No sir; they, in their infinite wisdom, consider that it's more secure® that I choose a password that's simple enough to remember and type every time or, alternatively, that I use their questionable apps that can only be downloaded from Google's or Apple's stores.
But nothing new until now. The novelty came when, after emailing both banks to express my discontent with the situation, one of them decided to revert the change.
The first bank decided to reply something reducible to "'Kay thanks", and then, I guess, proceeded to redirect my message to /dev/null. The second one replied the following:
this update better protects the security of clients, their data, and their accounts, given that someone that doesn't really know the password won't be able to access the site "pasting" it
Since they at least wrote a full reply, however incoherent, I decided to insist once again; this time linking to several publications that discourage the practice and explain why:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#password-managers
https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#password-managers
https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-enhanced
Their last response said that they would escalate the complaint and get back to me within 30 days if any measure was taken. Time went by and I assumed that was the end of the story. Big surprise, though, when I logged in through the mobile website a couple of months later and I was able to paste my password. They never let me know of the update nor did they admit that it was because of my message, but I'm counting this victory as mine.
I wonder what's the decision-making process that leads to implementing a feature like this in a bank, none other than a bank!, only for it to be reverted shortly after based on a couple of links that I got together in 5 minutes. I don't want to be ungrateful when they finally listen to their customers and act on it, but the whole thing leaves much to be desired.
Next step: convince them to support third-party 2FA applications...