Let’s make password managers ubiquitous! #NeverTypePasswords

Over a million users across the world use Enpass on a variety of devices running on different platforms. A lot of you also use other passwords managers – some of them are fine products, we agree.

But this is not about Enpass, but about everyone who uses a password manager.

First up, big props to you for understanding the need for strong, unique passwords on the Web. Second, you’ve realized that by using password managers to store complex passwords, you don’t have to remember them or type them yourself when needed (which in turn allows you to use stronger passwords). Security experts too encourage the use of password managers which allows for the use of complex and unique passwords.

However, some developers are spoiling our party.

We’ve seen a lot of users of password managers complain about some apps and websites that do not allow pasting a password from the clipboard. It is medieval security practice that is irrelevant today. The forced typing means that users are forced to use easier, memorable passwords – totally against the idea of using password managers in the first place.

And this needs to stop. We want you to #NeverTypePasswords.

If your bank or email service or favorite app does not allow you to type passwords on the pretext of security, call them out. Send them link to this post, tell us about them in the comments, and tweet about them with the hashtag #NeverTypePasswords.

On our part, we’ll compile a list, and reach out to them, educating them about the need to allow pasting passwords.

Let’s make the internet a better and secure place to be in. Let’s make password managers – Enpass and others – ubiquitous!

 

Comments

Aaron 9 months, 2 weeks ago

What are some examples of websites that don't allow pasting text into the pw field? I don't think I've ever come across this but would be curious to see one!

Reply

Jim 9 months, 2 weeks ago

The National Lottery in Ireland will allow auto fill to log in but once logged in and you have to re enter your password autofill and copy/paste will not work at all.

lottery.ie

Reply

Alex Hansford 9 months, 2 weeks ago

Many banks split password fields into several sections to deliberately make it hard to automatically log in using a secure password.

One potential interim fix would be to open a pop-up window which shows the stored password (including the character number) to make it easy for users to enter the corresponding elements without thinking too hard about it.

Otherwise if it's too cumbersome to use it, we'll just go back to insecure passwords + number + symbol just to appease medieval password policies!

Reply

DarkStar 9 months ago

"One potential interim fix would be to open a pop-up window which shows the stored password (including the character number) to make it easy for users to enter the corresponding elements without thinking too hard about it."

Not a bad idea. I really dislike masked passwords and some banks use that system (Alior Bank in Poland). The system itself is actually secure - they don't store the passwords in plain text and don't decrypt them during authentication. It's very clever appliance of mathematics (https://zaufanatrzeciastrona.pl/post/kryptografia-hasel-maskowanych-czyli-magia-matematyki/ - in Polish). But it still sucks for the end user and makes people use weak passwords, so it should go away. At least give us a choice.

Reply

Albo P Fossa 9 months ago

Agreed, Alex. We've run into a number of financial (and medical) websites that do not accept pasted usernames or passwords. I suppose they (their website developers) may think it a member of extreme security to enforce human typing: in my mind's eye I can see it. It doesn't make sense when using the site from a public area where a nefarious watcher can watch one type sensitive information. OTOH, it doesn't make sense that one would logon to such websites in a public area.

Reply

Paul 9 months ago

Target Red Card account log in doesn't allow it and it's very annoying.

Reply

David 7 months, 2 weeks ago

Here are the security guys convincing companies to do this. They live in a bubble. Drive me nuts every time I run into it in a website.

https://paul.reviews/dont-let-them-paste-passwords/

Reply

New Comment

Feeds

Never miss an update. Subscribe to receieve an updates whenever we post something in the blog.

RSS / Atom

Categories