11

I understand there are a few other controls, like 2FA, for making transactions in many bank account websites, while only users required for username and password to access the account.

I noticed that I can save my password in my LastPass password manager while in my other bank account they disabled it somehow. Working for a financial company myself, it made me consider creating this kind of protection: an option of disabling the option for users to save their passwords to their password managers like LastPass.

It will be very easy to implement this kind of client-side encryption solution but I am wondering why would these banks do this "extra" line of security protection.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Filipon
  • 1,204
  • 10
  • 22
  • 20
    Preventing a password store weakens security and it's also insolent. You are effectively forcing your users to either re-use an existing password (extremely dangerous), or to use a unique password that they can remember (very likely a bad password). – Victor Mataré Sep 29 '18 at 15:56
  • 12
    Why do you think that this would improve security? I don't ask to be snarky - just curious what your thought process is – Conor Mancone Sep 29 '18 at 20:47
  • 3
    I suspect what financial institutions actually disable is pasting the password. Disabling password managers is likely not intentional but an unfortunate side effect. The main target of such a no-pasting policy are usually users who use notepad or an Excel spread sheet. – Kevin Keane Sep 30 '18 at 19:14
  • 2
    @KevinKeane Even attempting to ban Excel sheets infuriates me. I'm sure there are many non-tech-savvy people out there (say, your grandfather) for whom a notepad or Excel-based password system is better than what they were doing before. I strongly disagree with websites putting restrictions on passwords - either on the password itself, or how you can enter it. – Mike Ounsworth Oct 02 '18 at 12:16
  • 1
    @MikeOunsworth I understand your concern, and have seen this very problem in action. It is a two-edged sword. With bank passwords, Excel is about as bad as password reuse; plain-text files are too easy to steal. For this type of person, paper-based is the way to go. – Kevin Keane Oct 03 '18 at 16:50
  • 2
    @KevinKeane Maybe, or maybe the cleaning lady or the ungrateful son is the biggest threat and Grandpa's Windows password is fine at keeping them out. I don't think think is something that webmasters have any business pushing down on their users. – Mike Ounsworth Oct 05 '18 at 01:14

4 Answers4

41

DON'T.

Unique passwords is one of the most important aspect of password security, as a breach in a different site will not affect other sites for the same user.

Unique passwords per site is almost impossible without password managers. In addition, password managers enable longer password. For instance, most of my passwords are unique, 60-character, containing special characters. This is way more secure than the previous ten-character passwords I employed previously - with lot's of password reuse.

In short; your idea will likely lead to worse safety. And it will seriously piss off security conscious users. Instead, follow NIST Guidelines, and don't try to control how users enter the password.

In addition such attempts at controlling input may impair users with disabilities. Screen readers and alternate input methods may not play well with custom scripted input options.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
8

As vidarlo said, you should NOT do that.

Plus, websites, where password managers don't work, don't disable them per se, they disable paste in password fields.

Usually, they disable password copy pasting because they consider it weakens security:

  • user could paste a password he/she doesn't know (irrelevant with a password manager)
  • on registration, user could mistype password in the first field and paste it in the "repeat password" field, both fields will match but won't contain the intended password (irrelevant with a password manager)
  • clipboard could compromise the password (virus, access by another person...), fair point, but password reuse/weak password is a greater risk and is already very common, way more than clipboard sniffing

Besides leading to weaker security, the "option of disabling the option for users to save their passwords to their password managers" by disabling password copy/pasting doesn't exist anyway.

Why? Because this "option" would run client side, and client side your user can get around disabled paste by:

  • adding value="mySecretPassword" to the password input field
  • removing onDrop=”false” and/or onPaste=”false” you may have included in the input field (won't be enough in most cases though)
  • installing various browser extensions
  • using a password manager able to fill password fields even if paste is disabled (like Bitwarden)
schroeder
  • 123,438
  • 55
  • 284
  • 319
CheddarLizzard
  • 222
  • 2
  • 8
4

Most of the other answers say banks shouldn't do this, which I mostly agree with. However, I'm going to answer the question you asked: why do some banks do this?

The answer is simple: many password managers have had vulnerabilities or breaches that leak passwords. For example, this flaw in LastPass.

The reason that banks in particular try to stop this is because they are usually liable if you suffer fraud online. With most other service providers, if you're careless with your login details, it's only you who suffers, not the provider. But because banks have liability in so many scenarios, they have good reason to stop people doing anything they consider a risk.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • What will you do if you were a CISO of a bank in such a case? – Filipon Oct 02 '18 at 13:22
  • 1
    @Filopn - Multi-factor authentication – paj28 Oct 02 '18 at 13:22
  • That is obvious, and this what happens when you enter the bank's transaction sector usually, but I am talking about only in the case I described in a question and the one you answered. – Filipon Oct 02 '18 at 13:23
  • 1
    @Filopn - Short answer: not block password managers. Longer answer: first I'd check legal and regulatory guidance. If that says what to do I'd just follow it regardless of what I thought. But if making transactions is protected by MFA, I would not try to block password managers for the login that mostly just reveals your balance and past transactions. Does this particular bank enforce MFA for all transactions, or just some? – paj28 Oct 02 '18 at 13:26
  • 4
    Great answer to the "why" maybe, but the banks are misguided if they consider a password manager a higher risk than forcing their customers to use short easy-to-remember passwords they've probably already used on random social media somewhere. – Ben Oct 02 '18 at 15:39
  • 1
    "But because banks have liability in so many scenarios, they have good reason to stop people doing anything they consider a risk." Don't you consider password reuse a higher risk than password manager failure ? The former is much more common and preventing your users from using a password manager is usually associated with security weakening, not strengthening. You have a point anyway, "for security reasons" is usually the argument/excuse put forward when you ask these services "Why?". Twisted logic. – CheddarLizzard Oct 02 '18 at 21:51
  • 2
    @Theophany - To be clear, I'm not defending this, just answering OP's question. Password managers don't prevent password reuse, as they're only used by relatively advanced users. There are other defences against reuse. Almost all banks tell you not to reuse in their security guidance, and many have an additional authentication code that they set and you can't change. So from bank's point of view - and it's up to you if you consider this twisted - password managers are an additional risk. – paj28 Oct 03 '18 at 06:17
  • No problem, I don't include you in the "twisted logic" bit. Password managers do prevent password reuse for... Users who use them, that's the point. Obviously they don't prevent password reuse worldwide by simply existing. Most service tells it's users not to reuse passwords, and users still do it. Surely a service should not rely solely on the user to secure his/her account, and neither should it prevent advanced users from taking additional steps.This additionnal code does indeed counter the password reuse issue, but sadly most users probably store it in an insecure location. – CheddarLizzard Oct 03 '18 at 06:42
1

There are, in fact, various more or less credible reasons for disabling support for password managers in a web application.

The main one is whenever you are using a temporary password (forced change, one-time password, TAN, etc.). You don't want that the password manager stores it.

It is also possible that you want to prevent auto-fill, to protect the user. While in theory the password manager secures its password with a strong master key, most users in the real world use an empty master key for convenience.

Clipboard sniffing and other attacks were mentioned already, but they depend on your threat model (keyloggers might be a bigger risk than clipoard sniffing malware).

The disabling might be aimed at the copy action, not the paste action primarily, with paste being disabled as a side-effect.

Tom
  • 10,124
  • 18
  • 51