Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The tweeter (probably a non-technical support person, so go gently on him or her as an individual) has revised the statement:

"@passy I'm mistaken about the website security certificate but avoiding pasting of passwords is good practice & protects our customers 1/2" https://twitter.com/BritishGasHelp/status/463679554306203648

"@passy especially when using public computers. Alpha numerical policy ensures your protection without making special characters necessary^S" https://twitter.com/BritishGasHelp/status/463681274092462080



Then they should clear the clipboard via JavaScript when submitting the login form, not prevent pasting of the password. Password managers are simply too much of a win to block.

Clearing the clipboard would be annoying for people who commonly copy a bunch of text out of a document, log in to their bank, and then paste the text somewhere else, but I suspect this is a rare workflow for most people.


I did work for a very security-minded HR outsourcing company on an html site to be used on a public kiosk and we also disabled paste via javascript for the same reason - to prevent a user from being able to paste in a previous user's password at the same terminal.


Makes no sense at all... Where ELSE might I be able to paste the contents of my clipboard?

Now, clearing the clipboard AFTER pasting, that might actually make sense!


Good advice. On a public computer you really don't want people accidentally leaving their password in the cut buffer for the next user to find.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: