Improving Login-Security through denial of Copy & Paste?

we have a common login form for an webapplication, nothing fancy, something like

...<input type="text" value="Username" /><input type="password" value="" />...

My co-worker argues that denying the user to copy & paste within the login form would improve the application security. I think otherwise because the password input is already protected by the browser itself (You cannot copy the password from the input element).

However, we added the following JScripts to the input elements:

... onpaste="return false;" oncopy="return false;" ondrag="return false;" ondrop="return false;" ...

A tester criticised that it is still possible to "drag" copy with the CRT key, of course it will only copy the * characters and not the password, but it still allowes to copy values from the form, and so the test case was returned as failed.

So much for the background.

My Question:

Is there any security improvement at all from denying any kin开发者_如何学Cd of copy & paste within the login form that is worth the extra effort?

Thanks you Simon

No. Why stop the user from copy-pasting their own password?

Whenever you're looking at a security protection like this, it's important to ask yourself: Exactly what kind of attacks are am I trying to protect against? In this case, even if you prevent copy-paste, the user can just retype it if they really want to, after all. And if you're worried about Evil Spyware, that stuff can just install a browser extension and look at the password in the DOM directly, or install a keylogger and capture it as it's being typed.

Indeed, this can even reduce security. Consider if the user's using a password management program that can either put the password into the clipboard, or display it for retyping. If you prevent paste, that means the user must display the password on screen for any shoulder surfers to see.

I agree with the consensus here: Denying copy and paste means that my really complex passwords (stored in 1Password) are useless. So my response is to use short easily remembered passwords (i.e. weak ones). Driving people to use weak passwords is a BAD idea.

Also, the onpaste="return false;" is part of the DOM, not a javascript add-on, I believe. So it is really up to the site designer to stop such bad practices.

Does anyone know if there is a good reason to use "return false;" -- that is, is there something dangerous about the clipboard? If so, it kind of invalidates the use of such programs as 1Password.

I agree with everyone, and the sad thing is the large companies are starting to adopt this practice now, I cant paste on paypal, xbox live, and also some apps such as roundcube block it by default. I argue that its worse for security as it forces the enduser to type it meaning it either has to be an easy one to remember or they have to have it visible somewhere to type out, the good apps like keeppass work on the basis passwords arent visible but only copied to clipboard temporarily.

Preventing copy/paste passwords is a TERRIBLE idea - it pretty much makes using long, randomly generated secure passwords impossible. Imagine I wanted to use "JFPEWm!QjVIdrFk8l|/%" as a password - it's a great password, but a nightmare to type and VERY error prone.

Non at all

The user can disable anything thats client side, including your JScripts. Your collegue is mis-informed, show them this thread.

There is only improvement if you accept the premise that the source from which the password was copied is less secure than memorization...I think that's probably true. But it's coming at a pretty hefty price on usability. And most browsers have one capability or another to store passwords, and users use password managers, etc. I think at some point you just have to accept the limits of the username / password paradigm.

It might be useful to take a look at client certificate authentication, if you are really concerned about security. It's important to note that there's nothing inherently more secure about cca, it's just a different set of credentials. But it is, presumably more difficult to copy a cert than a password. In any case, it's a good thing to know about for your security toolbox:

http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html

Unlikely to help. Keyloggers will now be sure to catch passwords. Copying and pasting the password is likely more secure than typing it.

Better to invest in a good password management tool and training (like Lastpass or 1Password) than frustrate users, making them more likely to take shortcuts (like using the same, simple password everywhere).

I agree with the consensus here. I don't see how removing copy-and-paste functionality could improve security, and all JavaScript can be disabled anyway. It's not worth your time.

Thank you guys,

your answers are really supporting my position here. I also fail to see the security benefit gained by removing the copy & paste capabilities from the webform.

However, it's a large scale web application, dealing with a lot of money, so it's hard to argue against anything that could possibly improve security (From a political point of view).

Greetings Simon