Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Improving Login-Security through denial of Copy & Paste?

Tags:

security

clipboard

passwords

we have a common login form for an webapplication, nothing fancy, something like

...<input type="text" value="Username" /><input type="password" value="" />...

My co-worker argues that denying the user to copy & paste within the login form would improve the application security. I think otherwise because the password input is already protected by the browser itself (You cannot copy the password from the input element).

However, we added the following JScripts to the input elements:

... onpaste="return false;" oncopy="return false;" ondrag="return false;" ondrop="return false;" ...

A tester criticised that it is still possible to "drag" copy with the CRT key, of course it will only copy the * characters and not the password, but it still allowes to copy values from the form, and so the test case was returned as failed.

So much for the background.

My Question:

Is there any security improvement at all from denying any kind of copy & paste within the login form that is worth the extra effort?

Thanks you Simon

like image 850
Simon Avatar asked Jan 21 '11 14:01

Simon

People also ask

How should an application's login mechanism respond in case of incorrect username and or password?

An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.

What is a common vulnerability with passwords?

Brute Force Attack A brute force attack is a method of hacking that uses trial and error to crack passwords (e.g., login credentials and encryption keys) by attempting a large amount of combinations for them.

1 Answers

No. Why stop the user from copy-pasting their own password?

Whenever you're looking at a security protection like this, it's important to ask yourself: Exactly what kind of attacks are am I trying to protect against? In this case, even if you prevent copy-paste, the user can just retype it if they really want to, after all. And if you're worried about Evil Spyware, that stuff can just install a browser extension and look at the password in the DOM directly, or install a keylogger and capture it as it's being typed.

Indeed, this can even reduce security. Consider if the user's using a password management program that can either put the password into the clipboard, or display it for retyping. If you prevent paste, that means the user must display the password on screen for any shoulder surfers to see.

like image 113
bdonlan Avatar answered Sep 29 '22 23:09

bdonlan
Sign in to Comment

Related questions

How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings
ASP.Net MVC 4 and WebSecurity - User Registration Confirmation through Email
How to find out which account my ASP.NET code is running under?
Is SQL Azure PCI-DSS Compliant?
Thread.CurrentPrincipal in .NET console application
Difference between HMACSHA256 and HMACSHA512
Is it safe to use ajax for login?
Django, Security and Settings
make sure each controller method has a ValidateAntiForgeryToken attribute?
Java http clients and POODLE
Is there a way to restrict access to an ASMX Webservice, i.e. the asmx page and its WSDL?
How do I do security in JSF?
Get permissions for stored procedure in sql server 2005
Is the heartbleed bug a manifestation of the classic buffer overflow exploit in C?
Why overwrite a file more than once to securely delete all traces of a file?
C# How to determine if HTTPS
Access restriction on sun.security.pkcs11.SunPKCS11
What is a good security framework or API? [closed]
Bugs versus vulnerabilities?
What characters have to be escaped to prevent (My)SQL injections?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!