we have a common login form for an webapplication, nothing fancy, something like
...<input type="text" value="Username" /><input type="password" value="" />...
My co-worker argues that denying the user to copy & paste within the login form would improve the application security. I think otherwise because the password input is already protected by the browser itself (You cannot copy the password from the input element).
However, we added the following JScripts to the input elements:
... onpaste="return false;" oncopy="return false;" ondrag="return false;" ondrop="return false;" ...
A tester criticised that it is still possible to "drag" copy with the CRT key, of course it will only copy the * characters and not the password, but it still allowes to copy values from the form, and so the test case was returned as failed.
So much for the background.
My Question:
Is there any security improvement at all from denying any kind of copy & paste within the login form that is worth the extra effort?
Thanks you Simon
An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.
Brute Force Attack A brute force attack is a method of hacking that uses trial and error to crack passwords (e.g., login credentials and encryption keys) by attempting a large amount of combinations for them.
No. Why stop the user from copy-pasting their own password?
Whenever you're looking at a security protection like this, it's important to ask yourself: Exactly what kind of attacks are am I trying to protect against? In this case, even if you prevent copy-paste, the user can just retype it if they really want to, after all. And if you're worried about Evil Spyware, that stuff can just install a browser extension and look at the password in the DOM directly, or install a keylogger and capture it as it's being typed.
Indeed, this can even reduce security. Consider if the user's using a password management program that can either put the password into the clipboard, or display it for retyping. If you prevent paste, that means the user must display the password on screen for any shoulder surfers to see.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With