Why some websites are deliberately designed to be insecure

Passwords remain the bane of our lives. People print them out, they re-use them or slightly change them for different services, or they simply use the same one for decades.

On the other side of the coin, for most users of a service, it’s a pain to remember a password and a bigger pain to change it – and then have to remember a new one all over again as websites change, they get hacked and/or their security policy changes.

But while passwords are imperfect, they’re the least worst option in most cases for identifying and authenticating a user, and the best way of making them more secure is to use each password for only one site, and make them long, complex, and hard to guess. However, some websites are purposely designed to be less secure by subverting those attempts. Here’s why.

2FA doesn’t work

Two-factor (2FA) authentication is often seen as a more secure method of authentication but it’s patchy at best. For example, the division between enterprise and personal environments has today all but evaporated. In the course of their jobs, people increasingly access their personal services at work using their personal devices. And employers can’t mandate 2FA for access to Facebook, for example, which might well be the chosen method of communication of a key supplier, or a way of communicating with potential customers. All FB wants is a password, and it’s not alone.

Two-factor authentication is also less convenient and takes more time. You’re prepared to tolerate this when accessing your bank account because, well, money. For most other, less important services, adding barriers to access is likely to drive users into the arms of the competition.

Password persistence

So we’re stuck with passwords until biometrics become a pervasive reality. And maybe not even then – but that’s a whole other issue. The best solution I’ve come up with to the password problem is a password manager. Specifically, KeePass, which is a free, open-source, cross-platform solution with a healthy community of third-party developers of plug-ins and utilities.

You only have to remember one password and that gets you access to everything. So you only have to remember one single master password or select the key file to unlock the whole database. And as the website says: “The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”

It works on your phone, your PC, your Mac, your tablet – you name it, and it’ll generate highly secure passwords for you, customised to your needs. So what’s not to like?

Pasting problems

Here’s the rub: some websites think they’re being more secure by preventing you from pasting a password into their password entry fields. Some website security designers will argue that that passwords to access their service should not be stored in any form. But a password manager works by pasting passwords into the password login field.

The rationale for preventing password pasting is that malware can snoop the clipboard and pass that information back to the crooks. But this is using a sledgehammer to crack a nut because KeePass uses an obfuscation method to ensure the clipboard can’t be sniffed. And it will clear the password in a very short time – configurable by you – so that the exposure time can be very short; 10 seconds will do it.

In addition, as Troy Hunt, a Microsoft MVP for Developer Security, points out: “the irony of this position is that [it] makes the assumption that a compromised machine may be at risk of its clipboard being accessed but not its keystrokes. Why pull the password from memory for the small portion of people that elect to use a password manager when you can just grab the keystrokes with malware?”

In other words, preventing pasting is counter-productive; it’s reducing security. Don’t believe me? Check out this scenario.

Insecure by design

So if you can’t paste a password in, what do you do? If you use a password manager, which is probably the most secure way of storing passwords today and puts you way ahead of the game, you open up the entry for that service in KeePass, expose the password to any prying eye that happens to be passing, and copy in the password – which is likely to be long and complex – manually, character by character. Probably takes a few minutes.

Can you see anything wrong with that? If you’re sitting in a crowded coffee shop, for example?

Yup. A no-paste policy is annoying, slow, prone to mistakes, and highly insecure. Worse, it’s likely to be the security-conscious – those using password managers and the like – who are most affected. Even a simple file full of passwords – hopefully encrypted – and tucked away in an obscure location is likely to be more secure than the method many if not most people use: re-using common, easily memorable passwords.

I’ve had discussions about this with one major UK bank which implemented a no-paste policy and seems since to have reversed course – whether as a result of my intervention (and no doubt that of others too) I have no way of knowing.

Say no to no-paste

So if you encounter a website that does not allow you to paste in a password in a mistaken bid to add security, point out to them that in effect, they’re forcing people to use weak passwords that they can remember, which will be less secure.

As Troy Hunt says: “we’ve got a handful of websites forcing customers into creating arbitrarily short passwords then disabling the ability to use password managers to the full extent possible and to make it even worse, they’re using a non-standard browser behaviour to do it!”