Even worse, there are some that restrict what kind of special character you can use. So even when I've generated one I still have to edit to remove one particular character.

Would it really be that difficult to display password strength and say things like "use more characters, e.g. you could use four words".

> Many password managers generate strong, unique passwords for people so that they aren't tempted to create their passwords by hand, which leads to easily guessed and reused passwords. Every time a password manager generates a password that isn't compatible with a website, a person not only has a bad experience but a reason to be tempted to create their password. Compiling password rule quirks helps fewer people run into issues like these while also documenting that a service's password policy is too restrictive for people using password managers, which may incentivize the services to change.

ASCII only in 2023 seems positivity antique. And this from a supposed tech frontrunner! Wth...

Hopefully passwords will be gone soon (at least that's my hope).

Is there a reason I as a Swede should be limited from using my full native alphabet in my passwords for example?

As an example, you know how people sometimes suggest using a short sentence as a password? Here's a phrase in a local dialect, which means "and in the river there's an island" Å i åa e ä ö

Notice how only 2 of those letters are available in ASCII.

ASCII only is not a feature, and I honestly doubt anyone would try to argue that it is if this was about any company other than Apple. Try to look past the "who" and focus on the "what".

In what platforms is it not possible to input various Unicode or emoji characters, whether at all or reliably?

Even worse, there are some that restrict special characters, but don't tell you which!

Now you've got to go trial and error to find out which of the special characters in your password is not acceptable to that precious §("/$& website!

Spotify did/does this. Made canceling my free trial really tricky, because I needed to log in again to do so.

Default was a min-length of 15 as the only requirement with the default hint of "try using a short sentence"

I also had optional use of zxcvbn and haveibeenpwned checks during new passphrase creation.

I really wanted to open source the application but couldn't get approval to do so.

It was a pretty nice little simple auth application that issued RSA signed JWT to configured applications. It was interested into a few internal apps as well as for clients that didn't have something like azure ad, okta, etc. where we wrote bridge apps for auth.

If I had my configuration doc, I'd probably recreate it exactly, but with a Rust backend with HTMX instead of C#+react.

The date store used SQLite as a KV store, with simple methods for access that allowed an exception later for the values. Also wrote support for PostgreSQL and MS-SQL so they could be used where available.

Spent a lot of time on same defaults, hashing and encryption along with required configuration options for a few clients.

Aside: more devs really need to better understand public/private key generation and usage... Like not using the same keys for different environments.

You have no idea how long it took me to figure that one out.

For a more entertaining take, I really enjoy this use of it against scammers and thieves: https://www.youtube.com/watch?v=knhQ2f8anT8

Also iOS.

Providing a list is fine as long as they let the user type their own question if they want to. I cannot trust the security of a single one of their crap questions if I were to answer them honestly. However, if they let me type my own question, I can absolutely guarantee it.

1. be long enough (e.g. 8 characters or more)

2. not be in the list of 10k most used passwords

3. not simply reuse words present in the username, email, birthday (if my application knows about it)

This keeps it open and only interferes with truly stupid (aka insecure) password choices.

Additionally I like to propose 8 passphrases to the user so they can choose one of their liking with one click (this also serves as a proposal what a good passphrase could look like).

This is in addition to other mechanisms of course, like rate limiting password attempts, fail2ban, salting, peppering, chosing the right hash, proper database separation etc.

The goal should be that only an attacker that has a copy of the database could profit from too short passwords, and only if they get the salt and pepper correct, to avoid rainbow-table-attacks.

Minimal password requirements allow people who know what they're doing to do the right thing. If you want to stop people who don't know what they're doing from doing the wrong thing, it will take a lot more than just length restrictions.

They buy someone out, and now there are two systems. Glued together with duct tape. Then they release a new web product, or mobile app, or whatever, and that gets taped on too. Duct tape and spit all the way down, with everything eventually limited by the most broken part (if you're lucky).

But modern apps: just give us Unicode support. And maybe a limit of 255 characters, but not less.

I'd be fine with storing the password policy in the password manager, and having it generate based on that policy next time.

And having all sorts of weird stuff in a password isn't necessary, so neither is the policy. To top it all off, many of the sites obsessed with password quality actually limit password length. Why?! You are comparing passwords hashes and storing them as hashes, right? So the length shouldn't matter.

Allow passwords of effectively unbounded length, set a reasonable minimum length, and don't obsess about password 'complexity'.

And for the love of all that is good, don't eff with paste.

yes it’s longer than 8 characters

Yes I have one of your stupid special characters

Yes I’ve fulfilled all your other written rules

Oh… it also has to be LESS than 21 characters? Why did you not say that?

(Those of us who know, already know. I'd like to say that we all know here.

But if a reader does not recognize "correct horse battery staple", then you're obliged to click the above link -- you're one of today's lucky 10,000![1])

1: https://xkcd.com/1053/

I have developed a maybe irrational fear of space in strings such as passwords and paths. It always scares me when people use spaces in either case.

Firefox and Chrome's built-in password management tools would never accidentally enter your credentials on a lookalike site, but you very well might.

In the end, as long as a site is going to use username/password authentication there will always be the need to educate users about what to expect sans the aid of tools.

This is like advising that glass sidelights be installed next to the vault door.

non-sequitur.

getting phished results in the decision to enter the credentials. The mechanism for doing so is irrelevant to that decision.

The problem is that even if I read the code, or more likely chose to trust that someone has, it's not guaranteed to remain true for future updates. The author's scruples may weaken with time, or they might sell the extension, etc. (I think Chrome's extensions auto-update, but even if they didn't I'd still have to remember that this extension is one that I can't assume it's safe to update.)

For example I have an extension that lets you right click an image and rotate it by -90/+90/180 degrees. All I want is for the browser to hit me up when there is a `` tag, but that is not an option. Either I have to white list every page separately in the code or ask the user to white list every single page or just ask for full read and write permissions for every single web page the user visits.

No need for full read and write permission.

Maybe. But this is not clear at all from the given explanation:

> In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs.

The "smoothest experience"... This is corporate wooden language, and sounds disrespectful towards the users. Why does the extension need, precisely, to deal with tabs at all? A smooth experience would allow the users the choice to disable this permission while still working correctly on a single tab (as the previous version did). If this is not clearly explained upfront, it sounds like bullshit, even if it isn't.

Maybe there is no alternative way to do this. But certainly there is an better way to explain this.

Of course you're right in a technical sense. They could do whatever they want later.

But still let's celebrate and attitude like this rather than criticizing it.

So now we'd have to trust the author to do thorough vetting of a potential buyer and also not sell if vetting is inconclusive. And this against an adversary aiming to cheat their way past vetting.

Might be a cynical take, but it is not one without reason.

As a sibling comment points out, this is due to the permission model. This doesn't let the author entirely of the hook though: the permissions model created the situation, the author chose a particular path. The consequences may not have been foreseen by either, but they do exist and affect users.

perhaps the most reasonable or even only possible path if they wanted their plugin to be able to do what they wanted it to do, which was to keep sites and from messing with your copy and paste functionality - in other words to prevent minor maliciousness.

on edit: sure, to provide the smoothest behavior, but really if it wasn't smooth people would be irritated and not want to use it. I know if I was implementing for myself I would want it to be smooth.

I understand the whole "bad things can be done" perspective, but here for some reason I fall under a "trust but verify" perspective instead.

https://en.wikipedia.org/wiki/UBlock_Origin#uBlock

No, it's called security.

Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.

What leads you to believe that good intentions are enough?

Following this logic, we should all stop using any and all software for which we haven't personally inspected the full source code for, since this could happen to any of them.

A more reasonable take would be to assess your risk tolerance and the possible benefit for each piece of software you install, and then make the best decision for yourself based on that assessment.

For some people, that means not running an extension that provides minor quality of life improvements due to the possibility of it turning malicious further down the road. For other people, it means the opposite.

Not sure why every security-related conversation devolves into one extreme vs. another extreme. Security must be appropriately balanced against risk tolerance, inconvenience, and a number of individual concerns and preferences.

I haven't? My first comment on this entire topic is the one you are replying to... And it can be summed up as "risk tolerance and security decisions is personal".

Yikes.

How am I supposed to know a direct reply to my comment, saying "if _you personally_" is not actually directed at me personally?

If it wasn't directed at me, I'm not sure why you replied to my comment at all.

Are you talking to me in this comment, or just generally? I have trouble telling.

One doesn't need broad security permissions.

https://github.com/jswanner/DontF-WithPaste?tab=readme-ov-fi...

[0] https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi...

(But for this extension I don’t give it all site permissions anyway. I just enable on site by site basis)

And whenever the package repository is missing a browser extension I need, I contribute the package and take responsibility for its ongoing vetting and maintenance.

https://github.com/aaronraimist/DontFuckWithPaste/blob/8cb68...

if you're using it under chrome you're already working under the profit making goal of a failing advertising company. how worse do you think it can get?

Nah mate, we at Google, (bless them Mozilla crooks giving us control over their extensions), don't care about actual issues, we only update extensions to make money and limit user freedom.

> hs.hotkey.bind({"cmd", "shift"}, "V", function() hs.eventtap.keyStrokes(hs.pasteboard.getContents()) end)

    -- https://news.ycombinator.com/item?id=39640745
    hs.hotkey.bind({"cmd", "alt"}, "V", function()
      hs.eventtap.keyStrokes(hs.pasteboard.getContents())
    end)

Can I just say though that disabling paste, apparently in the name of security, is the dumbest shit I have ever encountered, right in front of ultra short timeouts everywhere.

If only I could meet the people who make these decisions in person...

> If only I could meet the people who make these decisions in person...

For what it's worth, I was once forced to implement a half hour auto-logout on a website that could hardly be considered as containing sensitive data because an external pentest firm flagged the lack of a short timeout as an issue. The only way we could show clients a passing pentest was to comply with all of the findings. We all knew it was stupid but management gave us no choice but to implement it.

I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.

(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)

So we did the British thing and went for a lot of passive-aggressive "oh, but how come it's ok for the CIA and your own website?" etc. to force them on the defensive and demonstrate that a lot of what they did was basically ticking pointless boxes.

We did manage to carve out some willingness in the client organisation to ignore bits and pieces as we clearly increased our credibility relative to the pen testers, but it was a massive pain.

"The only way we could show clients a passing pentest..."

Pen testers are often very resistant to pushback. They get it a lot, and usually on things that are real concerns.

- I had to use login.gov

- My password manager had a saved login for it, I didn’t remember it, but it worked

- Then the site asked me for an authenticator app code. I checked my authenticator apps and there was nothing there for login.gov.

- There’s a login another way button so I click that and the other way is use the authenticator app!

- I click what if I can’t get my code?

- It says I must DELETE my account.

- I click to delete my account and it sends me an email.

- The email says to wait 24 hours for another account deletion email.

- 24 hours later I get an email that allows me to delete my account.

What was in the account? I have no idea, but it seems that it must be sensitive for some uses of the login. But if it’s sensitive and important why am I able to delete the account, the most destructive thing? Why is an email enough for me to delete it but not enough for me to get an auth code?

That said, you're right. This is really weird.

Why do they think password managers exist?

But. I have implemented these exact security measures into web applications. I've been handed the requirements and I implemented them. I asked my client why we had to do this, when "everyone" knows that this stuff is terrible user-experience and can backfire spectacularly for security (the same people who would memorize a shitty password and use it everywhere, will now write their expiring, "strong", impossible-to-remember password on a sticky note or save it to a text file or spreadsheet called 'passwords.txt' on their Desktop). The answer is: we have to, for compliance. To pass a security audit. To prove to some major client or insurance company that we have a number of industry-standard measures in place to improve security. Unfortunately, your bank does not care about the 2% of us using password managers. Everyone else is still memorizing passwords, forgetting them, and making jokes about it like it's 2003.

Do they?

I don’t remember seeing any compliance requirements you can’t reasonably push back. This is just overzealous compliance consultants meeting a team that doesn’t really care about their users. People never really question anything.

Probably not. In my experience most standards are pretty broadly defined with hardly any technical requirements.

For instance in ISO 27001 it states that you should create awareness in your organisation about information security. A very minimal way is to send a mass email to everyone in the organisation or hang up posters in the office. But I also spoke to someone that was determined that a half day security awareness training was minimally required.

What tends to happen is that auditors aren't going to tell you not to do something you don't have to, they're going to tell you to do to the things you must. Then the ones going "above and beyond" become convinced they're great at this compliance thing and others who don't do it are mistaken.

A perfect example is that PCI compliances requires firewalls but I know of a CISO that insisted on hardware level separation between networks with no way to bridge between them. The amount of pain and harm he did to that company cannot be overstated but he was convinced it was a requirement of PCI-DSS.

For personal use I just abandon any site that won't let me use my password manager (Bitwarden).

But I guess if that is to easy for folks with touchscreens then next will be the virtual mouse to click the virtual keyboard. Maybe add a randomly changing acceleration factor to the mouse to tell human and computer apart.

In firefox you can toggle dom.event.clipboardevents.enabled

Slack, for example. Pasting becomes a complete clusterfuck. Things paste in the wrong location, incompletely, etc. I have no idea how they manage to fuck up "paste in a text box"...

Facebook Messenger also broke last time I used it where the tab would start using 100% CPU, but it's been a few years since I last used it, so don't know if that's still the case.

Anyway, I really wish I could do this per website. I have it disabled because GitHub started doing weird and annoying shit when I copy/paste stuff from comments and I absolutely hate it. But ... then it breaks Slack :-/

For over 5 years Enter has been broken in YouTube's comment text fields. It inserts a new line but often won't move the cursor. Last year for a while they changed the text to black in the dark theme and it was impossible to write comments because the text fields simply never showed up.

they use a div and fuckton of JavaScript to implement a full rich text editor and then pretend it's a textbox.

google docs, WYSIWYG editors built into any number of webapps

>terminal emulators

ssh/serial consoles on whatever your hosting provider is. Sure, sometimes there's a command line tool to do the same on your OS's terminal emulator, but if it's for a task that you're doing once every few months (eg. recovering a bricked server), clicking a button on a website and getting a shell is just more convenient.

Here to write in the comments you use a simple text editor.

Chrome dev tools can also be used to change the code directly. Quite convenient to have the same dev tool behave and look the same on all the different plattforms.

Also, everything ChromeOS related.

Was that so scary?

Tampering with paste is kinda is like turning of autofill and the HTML5 standard is pretty clear when it should only be turned of: ".. particularly sensitive (for example the activation code for a nuclear weapon); or that it is a value that will never be reused (for example a one-time-key for a bank login) ..."

The only thing I can think of is malware changing the value of the clipboard to fool someone into pasting the wrong thing - but if you open that scenario then you've got all kinds of ways malware could mess with a manually typed field too.

https://github.com/jswanner/DontF-WithPaste/pull/29

(I admit though that the unrelated .gitignore change had nothing to do in the original PR)

Take GoogDocs as an example. Do you want the browser's find or the app's find if you hit ctrl-f in a Doc/Sheet/etc? The vast majority of the users want the app's. Reading a news site, most people would probably expect ctrl-f for the browser's search.

Just pointing out that hard rules will always have exceptions. Except for the TFA's point of copy/paste. Stop manipulating my clipboard with bullshit marketing/tracking bullshit!!!!!!!

Maybe apps could bind their find/search to ctrl-s since it is incorrect for browsers to bind this to save-page anyway.

Edit: >Then the vast majority of users are wrong.

I strongly disagree, and people unwilling to be flexible ruins the experience as those people tend to be the minority

(Your user will never need characters to render as single pixels? Try again - sooner or later someone will decide to abuse your spreadsheet as a raytracer and be annoyed they can't make cells single pixel)

And a feeling of consistentency often requires exceptions for specific cases such as the example of "find" where few users want to specifically find what happens to be in the browsers idea of what the document currently contains, but what it logically contains in their model of what it should contain. Consistency means that in an app that dynamically updates a scrollable region, for example, it should still find things in the currently not part of the browser document bits, and so shouldn't use the browsers find in those cases.

Some users might want a shortcut that always does the browsers own find, and there generally ought to be ways to override the app, but consistently acting how the user will want is rarely compatible with absolute rules.

1. Consider a keyboard without an f-key, eg Arabic. If the user is using an Arabic keyboard, what should bring up the browsers 'find' functionality. Of course ctrl-f won't cut it. Perhaps it should be ctrl-[first letter of 'find' in Arabic]? Or perhaps ctrl-[the letter in the same position as f on qwerty keyboard]? It makes sense to follow convention if one is already established for Arabic, but then what about languages that are new to the web?

2. Consider a phone-tree, which is a sort of UI. For this UI, the 'absolute right answers' of minimum text contrast, font size, keyboard shortcuts, etc, make no sense, but there are surely other ways to make the UI work well for customers.

In both these scenarios, I feel the 'right' choice is to pick the UI that is best for users. I think there isn't a-priori a right answer, and users habits change over time and across cultures, so it's not necessarily an easy choice.

I can see valid use cases for customizing Ctrl+F.

I say "semi-legitimate" because I actually wish they'd map to a different shortcut, but can see the case for user wanted the remapping.

This of course stems from earlier decisions to have that document handling style in the first place. IMHO it becomes a complex debate when on line between an online application and a webpage.

Something like CMD+K should be used for a more global search.

(Guessing on macOS Cmd+V is actually triggering a clipboard event in JS, the site can’t actually see that you pressed Cmd+V)

Discovered this thanks to a site (don't remember which) that included a tooltip about this fact in their hijacked search box. I was curious if it would work on Redocly search, which has no such tooltip, and it did. I'm not positive if this works universally, or is just an undocumented feature of Redocly's interface and won't work in places the developers didn't make specific accommodations for it.

Env: Chrome + OSX or Windows.

Linear hijacks Cmd+F for example, very helpfully providing some terrible thing instead of my browser's built-in search that works the same everywhere. (it's the same Linear that thinks you can't not want wysiwyg markdown editing)

Really i see no valid case

I can’t believe that it’s 2024, and I can’t simply grep some documentation.

It's possible to write your own user script to do it (you just need to add a keypress event handler that does preventDefault() and maybe stopPropagation()) with no need for Tridactyl :)

And I'll take the opportunity to say thank you for Tridactyl! Have a great weekend!

GitHub is what annoyed me enough to make the feature in the first place. It used to work reliably but they made it worse :(

EDIT: I just took a look at GitHub's source code, and they mentioned a setting to turn off these shortcuts, and it really exists!! Under https://github.com/settings/accessibility one can turn off, all "Character keys" which means shortcuts without a modifier. I've never used them, so I just disabled it, and now forward slash always opens the Firefox search :0

https://docs.github.com/en/get-started/accessibility/keyboar...

I haven't used a mouse in almost 15 years. It's a constant source of annoyance when I try to scroll something with a map with my trackpad and it goes crazy zooming in and out.

Edit: Apparently Firefox has the `permissions.default.shortcuts` config option

UNKNOWN: Services.perms.UNKNOWN_ACTION [0]

ALLOW: Services.perms.ALLOW_ACTION [1]

BLOCK: Services.perms.DENY_ACTION [2]

PROMPT: Services.perms.PROMPT_ACTION [3]

And in the site information panel you can disable the Override keyboard shortcuts permission on a per-site basis. Neat, doesn't solve the paste override issue though. Source: https://support.mozilla.org/en-US/questions/1241294#answer-1...

* maybe it's a Mac thing???