Follow

PSA for frontend devs:
Do not block pasting in password or other input fields!

Sincerely,
Everyone that uses a password manager

@skypage
⬆️⬆️⬆️ THIS ⬆️⬆️⬆️

It drives me into a keyboard smashing rage when sites do that.

@m00se
That paste blocking garbage got me using an addon called Don't F*** With Paste and checking the HTML to see if I can get around the annoying crap that they'll use to circumvent a simple function

@skypage
Oh! Good tip! I will check it out. Thanks.

@m00se
Yeah, sometimes I can get around it by a right click -> Inspect Element and seeing if there's anything akin to `on-paste=...` that I can get rid of. Otherwise I'll add a rule for the site to the aforementioned addon (you have to proactively add a site for it to block paste sabotage)

@skypage @m00se
I used to use an addon called 'right to click' because they used to disable the right click on their sites. Not so much necessary now, thankfully, since you can use the web developer tools to do all kind of great things!

@skypage also, name your fields appropriately so password manager browser plugins can identify them.

@skypage On Amtrak’s site if you try to paste in fields on the main login form you can’t, but if you pick your tickets and go to checkout a different login form is presented where you can!

@sirphenom
I've seen the same sorts of inconsistencies with email validation. The + symbol (amongst others) is a valid email character, but so many websites treat it as though it isn't

@skypage @sirphenom You know they're jacking with you about disallowing the + sign solely because they don't want you to use GMail plussing as a filter to move their future spam off into a spam folder.

They really want your email addy so they can sell it and use it to send you their advertising. i bet their buyers won't pay for a plussed address cause they know its an advertising dead end.

@Klaatu
I think it's literally a matter of naive devs thinking emails can only contain alphanumeric characters with a few symbols like [-_.] and a standard formatted domain name. In reality, about the only validation you can make on email addresses is ensure its at least 2 characters and contains an '@'.
@sirphenom

@Klaatu @sirphenom
This article changed my own assumptions I used to have about email address validation when I read it. More software devs need to read this.
davidcel.is/posts/stop-validat

@skypage @sirphenom I think they get messed up by how regex counts _ as a letter and not punctuation . Here's some of their validations

Javascript
/^(([^<>()\[\]\\.,;:\[email protected]"]+(\.[^<>()\[\]\\.,;:\[email protected]"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/

HTML5's <input type="email" internally does
/^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-][email protected][a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/

@skypage @sirphenom yeah, some purposely do it to stop people from using the feature to create multiple accounts.

@Bishop
It's a fools errand with sites like mailinator or other disposable email systems
@sirphenom

@Bishop @skypage @Klaatu Well you can always get your own domain name and mail account and all kinds of aliases!

I mentioned that at a parents meeting and I may as well have said it in Latin - @adam is so right about having your own mail server

@sirphenom @Bishop @skypage @adam The real question has always been what if my connection/power goes down? But there were always services like pobox.com to store & forward for you & provide many of those extra features without you having to run a mailer service 24/7.

Twilio SendGrid sendgrid.com/ is new & hyping itself as an SMTP in da CLOUD, Ok stop raffing. $30 to do 100K emails/month.

Why doesn't Adam give JCD SMTP access or run a listserv that only he can post a newsletter to?

@Klaatu I know there are services that will, for lack of the real term, cache your email if your server goes down.

I have a Synology and it has a mail server on it and when I get some free time from going to kiddos swim meets I am going to sit down and learn this thing!

@Bishop @skypage @adam

@sirphenom @Bishop @skypage Well proper config'd SMTP tries to deliver mail to a down node for 3 days. But it usually sends a reply email back to sender saying that so it looks very unprofessional if you're down often or a long time.

Not all nodes you traverse may be setup correctly so you still risk bounced email plus + size restrictions etc.could affect it.
Which is why today most SMTP's try to deliver directly to the final node (the DSN MX record for the target email addy).

@sirphenom @Bishop @skypage Some SMTP servers have anti-spam limits to the # of TO/CC/BCC addys you can have on an email. But any windows box can simply use a script to send an email to all these addys & then send it again to the next batch limit & keep doing that until all subscribers get a copy.

Add/Drop management of the subscriber list is the harder part to offload.

@sirphenom @Bishop @skypage
Was looking at cheap $160 2bay NAS Monday, got me looking at Synology. Yet a $333 price has me sticking w/old PC based NAS's instead.

Synology's model #'s are 2 digits max # drives it can control (incl all add-on drive boxes), then 2 digit model year. Suffixes vary for enhanced abilites but J variant (Junior) is for cheaper versions. All use the same software package & SHR handles mixed drive sizes better than other brands.

@sirphenom @Bishop @skypage

SMTP FYI: Since NT4, Windows Components on the Add Programs control panel has uninstalled extra stuff like Fax Server, IIS web server, etc. Click on IIS Web server to see its subcomponents picklist & there's www, ftp, SMTP. So you can pick only SMTP to add an old unix style file based SMTP service to any windows box since NT4. Something to play with there on port 25.

en.m.wikipedia.org/wiki/Simple

A lot of good stuff here @Klaatu - you could publish a giblet on this!

@Bishop @skypage

@skypage

I hate when they make me type something that I can copy/paste much more reliably.

My other peeve is password requirements/restrictions. The only restriction that makes sense is minimum length. And ALL characters should be allowed.

@billstclair @skypage No minimum length. I should be able to have no password if I want. Muh freedom.

@billstclair @skypage Must be 7 chars long, not 8 no more than 7 and contain 1 uppercase, 1 lowercase and one of these nine punctuation/special characters (listed here). I hit one of those and went WTF?

You know keepass can generate random passwords for you that are very strong and quite long. Way stronger than any of these stupid site rules produce.

Here, made ya a 20 char 111bits

SrBXAFZioH0PVerCS1Y2

strong pswd & I didn't even trick out the possible options.

@Klaatu @skypage

I prefer Diceware, e.g.

maker line opal item ahead sleek

I wrote some Elm to generate those, https://lisplog.org/diceware

Because of funny restrictions, I enabled removing the spaces, shortening, adding capital letters, digits, or special characters. Even that fails to satisfy a few of the requirements I've found. Sheiza!

@skypage @m00se
Yes, blocking paste is pointless from a security standpoint.
Renaming fields is a way to prevent bots from auto submitting your forms, so I understand why people do it.
Password restrictions usually means they are doing something wrong on the backend. There is no reason a password can't be 'war and peace' if the user so desires and blocking special characters means they may have sql problems.
Forcing people to choose exact requirements enforces bad behavior as well.

@paradisestudios @skypage @m00se Keypass now allows you to put some special markup in an entry's notes field to relate user/pswd data for that account with weird named webpage fields for auto fills. Can even have multiple series of them for really strange sites that may ask in different ways.

@Klaatu @skypage @m00se
Kee, the Firefox add-on for KeePass2, does that for you automatically when you save a new login. I like to logout, then login again with Kee to make sure the login was saved correctly. Sometimes it gets it wrong but it does a pretty good job. May be less secure using Kee but I do like the convenience.

@paradisestudios @skypage @m00se I had a expired password force-reset on my health insurance dashboard. The password reset form conveniently silently truncated my new password to 16 character from a longer value. The login form even more helpfully did NOT truncate my password.

It took me half an hour to figure out wtf was wrong.

@skypage @m00se @sub0
You can contact the website and inform them of their misguided efforts and there is a slight chance they might listen to you. I have fixed a few sites on the net by helping them see the error of their ways.

@skypage @m00se @sub0
A huge pet peeve of mine was when they let the password go through, yet they stripped some characters out without telling you and now you can't login because you don't know they changed your password for you.

Sign in to participate in the conversation
No Agenda Social

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!