Recent versions of Clarion have disabled the ability
for a user to paste text into a Password field
[1].
While this may be advantageous in some circumstances, it greatly weakens
security in general by preventing the use of secure (ie long and random)
passwords generated by password managers. PassPaste is a small template
that allows users to paste text into password fields, using either Ctrl-V,
or Right-Mouse-Button / Paste.
All the proceeds collected from this template go to charity (over and
above our normal charitable contributions.) For a list of the charities we
regularly support see our
Social
Responsibility page. If you cannot afford this product please
contact us and we will arrange a free copy for you.
[1] This is likely not an overt action by
SoftVelocity. It is likely to be a side effect of the way a native Windows
entry field is being used.
Having a password in the clipboard is not ideal
because the clipboard is available to any program on the computer, and is
plain text. Thus if your computer is compromised with some kind of
malware, then that program may be able to inspect the clipboard from time
to time and extract passwords from there (This seems to ignore the issue
that malware can just as easily log keystrokes.) Equally if, after using
the clipboard, the password is left there then another user at your
keyboard can retrieve it simply by pasting into say Notepad (if you leave
your desk.)
Unfortunately the solution (preventing a Paste) does not fix the root
problem. The user has already copied the password into the clipboard, so
the damage (if there is any) has already been done. Indeed since the user
flow has been interrupted it's possible they may now forget to clear the
clipboard.
PassPaste works to resolve the problem by not only allowing the Paste, but
then immediately clearing the clipboard. Since you are pasting into
password field the program is uniquely able to determine that the
clipboard contains a password, and that this password is now no longer
required.
Programs that prevent pasting are making an attempt to educate users, by
not accepting the password they "teach" the user not to copy the password
into the clipboard in the first place. This approach might work if it was
universally adopted, but that is not the case
[2].
Since the consensus is that very long, random passwords are the only
protection against off-site brute-force attacks, the use of Password
Managers is by far the best solution to that vulnerability. Given the
choice between (ineffective) local clipboard protection and the risk of
short passwords being brute-forced, the accepted security practice is to
promote long, random passwords and to allow Paste from the clipboard.
References
Troy Hunt - The "Cobra Effect" that is Disabling Paste on Password
Fields.
Wired Magazine - Websites, Please Stop Blocking
Password Managers. It’s 2015.
OWASP - Authentication Cheat Sheet.
[2] All modern browsers, including Chrome, Firefox,
Safari, IE and Edge allow pasting into password fields.
A discussion of this template, and the use of
passwords in general was included in the
ClarionLive webinar #407, 14 April 2017.
The initial exploration of this issue, and a
proof-of-concept solution was suggested by John Hickey during an
OpenClarion webinar on 29 March 2017.
Suggestions for improvement, and some code suggestions, were submitted by
Carl Barnes.
The price of PassPaste is
$20.
It is available for purchase from
ClarionShop.
All the proceeds collected from this template go to charity (over and
above our normal charitable contributions.) For a list of the charities we
regularly support see our
Social
Responsibility page. If you cannot afford this product please
contact us and we will arrange a free copy for you.
For other payment options please contact us
here
