Finally Western Union didn’t really provide any justification at all, and vaguely said that the procedure was carried out “in order to reduce risks when WU.com is accessed from home or multi-user environments.”
Although the companies may think they are helping their customers, the arguments for stopping users pasting their passwords are pretty weak overall.
“Companies constantly interrupt password managers, as they falsely believe they're improving the situation by forcing people to actually type passwords in,” Joe Seigrist, the CEO of LastPass, a password manager company, told WIRED in an email. (It’s important to point out that LastPass itself was hacked earlier in the year.)
But, what is more worrying is that when password managers are blocked on websites, a user might be more likely to just enter in a garbage, previously memorized password that has been used somewhere else.
“This all but forces people to use weak passwords that they can consistently and easily type. This also makes it much more likely a password will be reused,” Seigrist continued.
This is a problem because, time and time again, it is reused passwords that often lead to customers' accounts being compromised, rather than any giant, sexy hack of a company. When Uber accounts were found for sale on the dark web, they had been accessed because customers had used the same password on other services. As pointed out by security company Symantec, this was also the problem when Starbucks Card Holder accounts were drained of their finances.
Earlier this month, British Gas was also jumped on for not letting users paste their passwords. In fact, the company went so far as to say that “as a business we've chosen not to have the compatibility with password managers.”
The motivation was, at least in part, to stop its customers from accidentally setting up password that they hadn’t actually memorized.
Unfortunately, this makes the process of registering a unique password generated from a manager—which will, assuming the password manager itself doesn’t have problems, make a user’s account more secure—that much harder for the normal user. Presumably, British Gas realised this, because, after an outcry from a handful of security experts, the company changed its policy altogether.
Some managers can bypass these pasting restrictions in certain circumstances, and there are technical work-arounds to paste passwords onto sites that don't allow it. But those solutions are not going to be used by the everyday Internet user.
And besides, it looks like not many non-technical people use password managers anyway. In research presented this week at the Symposium on Usable Privacy and Security, a survey found that only 24 percent of “non-experts” used password managers, compared to 73 percent of the security experts asked.
It’s unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason. Sure, password managers are not perfect, but they are much better than reusing old memorized passwords. Companies should not only embrace password managers, but actively encourage their use.
Update on 7/26/15 at 1:41 p.m.: Added comments from T-Mobile alerting WIRED to the fact that the problem had been fixed on T-Mobile's site.
More Ways To Stay Safe
For next level security, just go ahead and get a Yubikey
If that feels like too much, a password manager would still up your game
Alright, fine. At the very least, follow these 7 steps for better passwords
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3