A new major problem pasting passwords

BasilDane
2014-05-22
2014-09-08
  • BasilDane
    BasilDane
    2014-05-22

    This is becoming serious problem for me, as I really like KeePass and use strong passwords everywhere. One by one, websites are starting to block pasting passwords. I can't imagine why they are doing this because it encourages people to use weak passwords, I'm certainly not going to TYPE a 20 character strong password. So... Obviously this is not KeePass's fault, but it sure affects us. We need a new strategy. Perhaps injecting keystrokes directly without pasting will get past them?

    I went to change my Ebay password this morning and was stopped by this. And of course there is no way to contact them and they wouldn't care anyway. I can see onPaste="return false" right in their page, they are doing it intentionally.

    This is my 4th account this week that I can no longer use KeePass with.

    Discuss!

     
    • SteveShank
      SteveShank
      2014-05-30

      I have found that some sites don't allow CTRL-V but I haven't found one that refuses both CTRL V and right click the choose paste.

       
  • Horst
    Horst
    2014-05-22

    Using Auto-Type KeePass does not paste anything, it types the characters !
    Set-up the correct Auto type entries and it works.
    I can use Keepass on all web sites and also on Ebay with no problem at all.

     
  • wellread1
    wellread1
    2014-05-22

    Try KeePass auto-type; either global auto-type or Perform auto-type.

    With respect to the particular problem you experienced: I changed my ebay password yesterday (US site). I don't recall encountering a problem and I usually change passwords manually using copy paste. I also just tested ebay login using both Copy Paste, and auto-type. Both methods worked fine for me.

     
  • Paul
    Paul
    2014-05-22

    I just changed my webay password (what sort of crap security do they have where they encourage you to use strong passwords but don't say what the maximum length is - seems to be about 20?) and couldn't paste. I duplicated the entry with the new password and then changed the Auto-Type to {PASSWORD}{TAB}{PASSWORD}. Then I could Auto-Type the password.

    Let's face it, website authors have no idea about security!!!!

    cheers, Paul

     
  • wellread1
    wellread1
    2014-05-23

    Even worse, ebay designed a password reset procedure that only requires access to a user's email account. If an attacker gets control of any email account they can check if there is an associated ebay account and change the password without knowing the old password. The ebay reset message helpfully provides the ebay username.

    Apparently I changed my password before these security upgrades.

    Disregard, I had a lapse, this is the same procedure many vendors use. The take home message is protect your email account.

     
    Last edit: wellread1 2014-05-23
  • Thorsten
    Thorsten
    2014-05-30

    I think, the thread producer did not only mean the auto type with the login.
    That is working fine with keepass
    I had the same problem with paypal today.
    They allow you to paste the old password, but don't allow you to paste the new and the retyped new password.
    I ended up making a change to the auto type of the paypal entry to only auto type the password. So I could auto type, which uses character insertion.
    What I was really missing at this time was an option (in the right click/edit menu) to just auto type user name or password as single entries, not the global standard "username, tab, password, enter"

     
  • Paul
    Paul
    2014-05-30

    An additional context menu item of "Auto-Type password" would probably fix this problem.

    cheers, Paul

     
  • wellread1
    wellread1
    2014-05-30

    I think you are right. Also, entering a password only, is useful and probably the second most common keystoke sequence. Adding this feature would significantly augment the Perform auto-type capability.

    Since the key stroke sequence would naturally have a Workspace scope rather than a database or entry level scope, the sequence could be user defined and saved in keepass.config.xml.

     
  • wellread1
    wellread1
    2014-05-30

    Some further thoughts: Since the Workspace would be a new source of keystroke sequences the feature might entail a significant modification to KeePass. Additionally the mismatch between placeholder scope and a keystroke sequence defined with a Workspace scope could be a problem, though I believe a similar mismatch exists in Triggers. Finally, an unintended consequence, not necessarily undesirable, might be to create demand for additional hot-keys.

     
  • Paul
    Paul
    2014-05-31

    I don't think you need to define a sequence, just Auto-Type the password. It's then up to the user what they do next.

    cheers, Paul

     
  • Paul
    Paul
    2014-05-31

    Steve, please post at the end of the thread. Makes it easier to follow.

    cheers, Paul

     
  • Tim Ramsey
    Tim Ramsey
    2014-08-21

    I've run into the same idiotic mis-feature with Paypal and some credit card sites.

    An "autotype password" option in KeePass would get around this bit of idiocy quite handily. Please consider implementing this feature soon. Hotkey or menu option from the GUI, whichever or both.

     
  • Glenn
    Glenn
    2014-08-21

    Tim, here's the solution I use which was discussed here: https://sourceforge.net/p/keepass/discussion/329220/thread/deccac80/

    Add a completely new Title and just make the auto-type sequence to {PASSWORD}{ENTER} on the second title. Then when the hotkey is entered keepass would ask you to select either the full username & password or password only entry. Easy with 1 click of the mouse. Title #1 could be "PayPal" for example and Title #2 could be "PayPal - p/w only".

     
  • Tim Ramsey
    Tim Ramsey
    2014-09-06

    @Glenn: thanks, that is a workable workaround. I'd rather have a "autotype password" option. That seems a cleaner solution going forward.

     
  • AlexVallat
    AlexVallat
    2014-09-07

    If it's any help, WebAutoType can be configured to automatically skip the username when it detects that you are auto-typing into a password box.

     
  • Kesafi
    Kesafi
    2014-09-08

    Not sure if this advances the discussion any, but last night I came across a website that wouldn't allow copy-and-paste of the password from KeePass to log in, but would allow drag-and-drop.
    How do these mechanisms actually differ and should they give different results?

     
  • Paul
    Paul
    2014-09-08

    You can use javascript to prevent pasting into a browser, but not to prevent drag n drop - you can also Auto-Type into such pages. Both give the same result, with DnD not using the clipboard - I prefer DnD both for the lack of clipboard and for the ease of use, you can DnD without having to swap back and for between windows.

    cheers, Paul