Wikipedia:Reference desk/Archives/Computing/2014 July 16

Computing desk
< July 15 << Jun | July | Aug >> July 17 >
Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.


July 16

edit

Copy and paste password?

edit

I couple of times that I've been on the phone to technical support, they've told me to not copy and paste a password into their software or website (type it in instead). Why is that? Bubba73 You talkin' to me? 22:47, 16 July 2014 (UTC)[reply]

Well, there could be a security issue, in that a hacker might find the document you cut and paste from, or look at the cut-and-paste buffer directly. Also, there could be hidden formatting characters is some documents, such as those using rich text format. A flat ASCII text document is safer, but you still might get extra spaces and return characters. And if you try to copy a password from a field where it displays as asterisks, that probably won't work. StuRat (talk) 23:04, 16 July 2014 (UTC)[reply]
I have my passwords in a plain text file. Most of the ones have dots in the password field, but it normally works to copy & paste from the file. Bubba73 You talkin' to me? 23:32, 16 July 2014 (UTC)[reply]
Probably a security issue, like StuRat said. Any application, including malware, can look at the clipboard buffer (trivially, by pasting) so it's unsafe while the PW is in there. Pain (a typo, but quite funny imo) Plain text files are easily accessible, too. From a security POV, they are less safe than other formats.
A browser with an internal copy/paste buffer would be much safer; that way, one can check the PW for typos before submitting it.
Some log-in pages provide a "don't hide PW" option, which you can use if you are alone or in a safe place. - ¡Ouch! (hurt me / more pain) 06:55, 17 July 2014 (UTC)[reply]
It appears that the main reasoning is that it is safer, however, see [1], [2] for arguments to the contrary (I happen to agree - it's certainly no harder to compromise a system with a keylogger, and manual typing does make it harder to use longer randomized pw's). On the other hand, though, they may be asking you to do this, if you had trouble logging in, just to make sure extra characters aren't getting added or invisible gibberish from where you stored the password is getting carried over, and hence, screwing up the process. I'm not really sure if such problems happen frequently (or if that was the reasoning in your case), but they can occur, see [3], [4], [5] for mentions, and middle section of [6].Phoenixia1177 (talk) 07:28, 17 July 2014 (UTC)[reply]
Any arbitrary website used to be able to inspect the contents of your clipboard through javascript. Now (and for the last several years) it seems like the major browsers prevent it entirely or ask for user permission on sites the user hasn't previously approved. I doubt the technique was ever used much due to the huge variety of things it could find in there, and the incredibly low odds of whatever is in your clipboard being a password that you use with an account that they can determine the username for. Katie R (talk) 13:50, 17 July 2014 (UTC)[reply]