Get the top HN stories in your inbox every day.
koenraad
globular-toast
I'll add to that systems that require particular characters to be used, like "must use capital, number and special character". I prefer to generate longer passwords but using only regular characters because I find it easier to type on the occasions I do have to do that.
Even worse, there are some that restrict what kind of special character you can use. So even when I've generated one I still have to edit to remove one particular character.
Would it really be that difficult to display password strength and say things like "use more characters, e.g. you could use four words".
Y-bar
Even Apple was so annoyed at this themselves that they actually went for a full open-source open-for-contributions GitHub repository at https://github.com/apple/password-manager-resources to get around these issues.
> Many password managers generate strong, unique passwords for people so that they aren't tempted to create their passwords by hand, which leads to easily guessed and reused passwords. Every time a password manager generates a password that isn't compatible with a website, a person not only has a bad experience but a reason to be tempted to create their password. Compiling password rule quirks helps fewer people run into issues like these while also documenting that a service's password policy is too restrictive for people using password managers, which may incentivize the services to change.
indigo945
Ironically, apple.com itself is listed in this repository! Apparently they don't allow non-ASCII characters in passwords.
_0ffh
> Even worse, there are some that restrict what kind of special character you can use
Even worse, there are some that restrict special characters, but don't tell you which!
Now you've got to go trial and error to find out which of the special characters in your password is not acceptable to that precious §("/$& website!
tiltowait
The worst I've seen have uncommunicated password length maximums—but don't error when you exceed them. Instead, they just truncate your password, but only on creation. When authenticating, they don't truncate, so your password you just made with a password manager is "wrong".
Spotify did/does this. Made canceling my free trial really tricky, because I needed to log in again to do so.
piyush_soni
Even worse, when on top of all these they add an arbitrary length requirement: It can't be less than 8 letters OR more than 12. :|
zamalek
Even worse are "secure answers." Aka osint. I just have my password manager create passwords for those too.
user3939382
High quality complexity and password policy guidelines are provided by NIST and no one uses them. It’s called NIST 800-63b. Just use it!
atoav
For my own applications I typically require only three rules to be kept, two of which most users will never even encounter, the password must:
1. be long enough (e.g. 8 characters or more)
2. not be in the list of 10k most used passwords
3. not simply reuse words present in the username, email, birthday (if my application knows about it)
This keeps it open and only interferes with truly stupid (aka insecure) password choices.
Additionally I like to propose 8 passphrases to the user so they can choose one of their liking with one click (this also serves as a proposal what a good passphrase could look like).
Sammi
Good, except min 8 chars is not safe at all. Don't approach any semblance of security before min 12 chars. Min 14 is when you get into real security. The increase in entropy is exponential with password length, so security increases quickly after this.
tim333
I miss the old days of youtube when they had no restrictions. My password was x for ages. I think the only thing I use which still allows short passwords is my apple system password which thankfully is still three characters.
JonChesterfield
Shout out to forms which error out with "Password too long! Must be at most ten characters. All from this subset of ascii". Which seems especially popular with banks.
nullfield
I suspect, somehow, that this is stupidity with the bank's processing core systems, which ... things are weird with financials.
They buy someone out, and now there are two systems. Glued together with duct tape. Then they release a new web product, or mobile app, or whatever, and that gets taped on too. Duct tape and spit all the way down, with everything eventually limited by the most broken part (if you're lucky).
kdomanski
Yeah, banks unfortunately have their opinionated checklists of “best practices”, also know as “what every other bank does”.
tdudhhu
Sometimes I can understand this because banks work with old software that just has these restrictions.
But modern apps: just give us Unicode support. And maybe a limit of 255 characters, but not less.
tazu
Ran into this with TikTok "Creator Marketplace" (for buying ads), password limit of 20 characters... $200B company.
teeray
You want to have weird password rules? Fine. Please make some standardized meta tags my password manager can find so it generates perfect passwords every time. Bonus points for a well-known URI facilitating touchless password rotation.
gorjusborg
> You want to have weird password rules? Fine.
I'd be fine with storing the password policy in the password manager, and having it generate based on that policy next time.
And having all sorts of weird stuff in a password isn't necessary, so neither is the policy. To top it all off, many of the sites obsessed with password quality actually limit password length. Why?! You are comparing passwords hashes and storing them as hashes, right? So the length shouldn't matter.
Allow passwords of effectively unbounded length, set a reasonable minimum length, and don't obsess about password 'complexity'.
And for the love of all that is good, don't eff with paste.
bondarchuk
All I ask is that the same restrictions are also displayed again whenever I have to enter my password for login.
dwighttk
Also the rules sometimes show up saying you’ve violated them when you haven’t…
yes it’s longer than 8 characters
Yes I have one of your stupid special characters
Yes I’ve fulfilled all your other written rules
Oh… it also has to be LESS than 21 characters? Why did you not say that?
wccrawford
In addition, they will probably also still try to copy to clipboard first, since they probably don't use that interface often enough to remember its special rule.
bittercynic
I generally agree that you should let the user use the facilities they're used to, but if you have a habit of copying and pasting credentials you'll be more vulnerable to phishing.
Firefox and Chrome's built-in password management tools would never accidentally enter your credentials on a lookalike site, but you very well might.
sbuttgereit
That's all great, but then there are the times when they don't offer to copy the credentials where they should. Maybe the "correct" URL was too narrowly defined to be useful, or was taken from the setup context and is otherwise wrong for regular usage.... maybe the site changed their authentication process... etc. In the end, all of this tends to defeat the very resistance to the manual entry impulse you describe. If these password manager entry systems worked more flawlessly, your point would carry more weight... but having to defeat the protection your assertion relies upon is commonplace enough in legitimate purposes that it may well be nullified at all times.
In the end, as long as a site is going to use username/password authentication there will always be the need to educate users about what to expect sans the aid of tools.
mox1
And both of those built-in password management tools are actively targeted by credential harvesting malware.
indymike
> I generally agree that you should let the user use the facilities they're used to, but if you have a habit of copying and pasting credentials you'll be more vulnerable to phishing
This is like advising that glass sidelights be installed next to the vault door.
PH95VuimJjqBqy
> but if you have a habit of copying and pasting credentials you'll be more vulnerable to phishing.
non-sequitur.
getting phished results in the decision to enter the credentials. The mechanism for doing so is irrelevant to that decision.
xboxnolifes
Different security problem, not one that I have.
jessriedel
> In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs. In order for the extension to know about that event, it needs the tabs permission, which Chrome describes as "can read and change all your data on websites you visit." That description is very scary, and is certainly not what this extension is doing. Being an open-sourced project, you can always read all the code to see how this extension works, and what it's [not] doing with your data.
The problem is that even if I read the code, or more likely chose to trust that someone has, it's not guaranteed to remain true for future updates. The author's scruples may weaken with time, or they might sell the extension, etc. (I think Chrome's extensions auto-update, but even if they didn't I'd still have to remember that this extension is one that I can't assume it's safe to update.)
nextlevelwizard
The thing is there is no alternative way to do this. I have written some extensions my self and often you cant do anything without having full read and write access to every page.
For example I have an extension that lets you right click an image and rotate it by -90/+90/180 degrees. All I want is for the browser to hit me up when there is a `<img>` tag, but that is not an option. Either I have to white list every page separately in the code or ask the user to white list every single page or just ask for full read and write permissions for every single web page the user visits.
wanderingstan
As someone working on an extension right now, I can definitely say that you only need the “ActiveTab” permission. With this, the extension only becomes active (and can interact with the page) when the user right-clicks an image and selects the action from the extension.
No need for full read and write permission.
stefan_
I have an extension to replace the "backspace for back" keybind they intentionally broke after 30 or how many years and of course it needs access to everything everywhere, because apparently they can't envision extension functionality that isn't "inject JavaScript".
vsnf
On Firefox this is an option in about:config, no need for an extension. I’m on mobile rn so I don’t have an reference to the specific key, but it’s something like “enhanced backspace”
hahn-kev
For the lay person being able to access any image on any page is pretty much the same thing as being able to access all pages.
enriquto
> The thing is there is no alternative way to do this.
Maybe. But this is not clear at all from the given explanation:
> In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs.
The "smoothest experience"... This is corporate wooden language, and sounds disrespectful towards the users. Why does the extension need, precisely, to deal with tabs at all? A smooth experience would allow the users the choice to disable this permission while still working correctly on a single tab (as the previous version did). If this is not clearly explained upfront, it sounds like bullshit, even if it isn't.
Maybe there is no alternative way to do this. But certainly there is an better way to explain this.
Nifty3929
This is a bit cynical isn't it, when the author is clearly being as transparent as possible about what they need and why, which is due to factors outside their control.
Of course you're right in a technical sense. They could do whatever they want later.
But still let's celebrate and attitude like this rather than criticizing it.
Beldin
This has been used as an attack vector in the past: spot reasonably popular plugin; make author an offer; inject whatever tracking/other malwate stuff new owners want (typically after a delay).
So now we'd have to trust the author to do thorough vetting of a potential buyer and also not sell if vetting is inconclusive. And this against an adversary aiming to cheat their way past vetting.
Might be a cynical take, but it is not one without reason.
As a sibling comment points out, this is due to the permission model. This doesn't let the author entirely of the hook though: the permissions model created the situation, the author chose a particular path. The consequences may not have been foreseen by either, but they do exist and affect users.
bryanrasmussen
>the permissions model created the situation, the author chose a particular path.
perhaps the most reasonable or even only possible path if they wanted their plugin to be able to do what they wanted it to do, which was to keep sites and from messing with your copy and paste functionality - in other words to prevent minor maliciousness.
on edit: sure, to provide the smoothest behavior, but really if it wasn't smooth people would be irritated and not want to use it. I know if I was implementing for myself I would want it to be smooth.
I understand the whole "bad things can be done" perspective, but here for some reason I fall under a "trust but verify" perspective instead.
tracker1
In this case, you can build and self host on Dev mode... It's a pain but doable.
dotancohen
Sounds to me like GP is complaining about Chrome's permission model, not this particular extension.
Nifty3929
That isn't my interpretation having just reread it, but if that poster comes back to clarify otherwise I'll edit my post accordingly.
shakna
It's not cynical - see what happened to ublock. That kind of mess has happened, and will continue to happen, and should be a factor in what you choose to trust.
gorhill
The extension in the Chrome Web Store (CWS) never changed hands. I just reverse-forked a GitHub repo, which was of no consequences to those who installed the extension from the CWS. I was asked to transfer the CWS entry, I refused. This can't be compared to an extension changing hands or going rogue in the CWS.
josefx
Wasn't the worst that happened with it that the guy who took over uBlock tried to take credit for it and asked for donations? Not like he could get away with anything outright illegal when everyone knew he was running the project.
efilife
What happened to ublock? Are you talking about uBlock origin?
beacon294
No, it's well documented. Popular Chrome plugins, mainly free ones, historically have been sold.
jessriedel
Nope. People are being asked to give a bunch of deep access to their system, it's not enough for the author to have pure intensions and explain why they asked. The user should understand the risks, many of which are non-obvious (like the extension being sold).
bee_rider
It would be more transparent to be candid about the limitation of what they can provide.
It isn’t the developer’s fault that the ecosystem is dumb, but they could just note the limitation.
tsimionescu
So you're saying they shouldn't add the feature rather than asking for the permission?
foofie
> This is a bit cynical isn't it (...)
No, it's called security.
Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.
What leads you to believe that good intentions are enough?
bakugo
> Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.
Following this logic, we should all stop using any and all software for which we haven't personally inspected the full source code for, since this could happen to any of them.
lowbloodsugar
But WHY do they need that permission? They dont need it to implement the paste behavior. Looks super sus to me.
ambigious7777
The extension needs to re-enable paste, which means it needs to possibly inject some JS into the page.
junar
Not sure why OP linked to a fork instead of the original. But the original has a bookmarklet version if you would prefer an alternative.
https://github.com/jswanner/DontF-WithPaste?tab=readme-ov-fi...
zettabomb
This one is the version linked by the Firefox addon [0]. Honestly can't tell if one or the other is better but I like having it automatically enabled. Considering it hasn't been updated for years (but still works) I'm not particularly worried.
[0] https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi...
varenc
I get around that by downloading the extension source and then using Chrome extension developer mode to “load unpacked extension”. Then I’m confident the extension won’t change on me.
(But for this extension I don’t give it all site permissions anyway. I just enable on site by site basis)
quickslowdown
That's terrible for security, but great for convenience :)
varenc
Can you explain what you mean by this more?
Hackbraten
That's exactly why I use my system package manager to install and update browser extensions.
And whenever the package repository is missing a browser extension I need, I contribute the package and take responsibility for its ongoing vetting and maintenance.
pimlottc
It is also not at all clear to me why it "needs to know when you change active tabs".
Vorh
I just read through the 65LOC source, and it's because it swaps out an active or inactive extension icon based on your active tab.
https://github.com/aaronraimist/DontFuckWithPaste/blob/8cb68...
Leszek
You should have read a few more lines of that source - it also sends an "active" message to the tab, which is what adds and removes the copy/cut/paste event handlers.
jessriedel
Huh. That seems not super important to me. Presumably he could make a option/version where the icon didn't change?
mrd3v0
You mean the permissions system is broken and most extensions do suffer from the same issue?
Nah mate, we at Google, (bless them Mozilla crooks giving us control over their extensions), don't care about actual issues, we only update extensions to make money and limit user freedom.
pants2
Does Chrome have a "Developer Tools" feature for extensions, so you can dive in to the code and network requests?
dkjaudyeqooe
To work around this I usually drag and drop text pasted into the URL field or somewhere, on my Mac at least.
Can I just say though that disabling paste, apparently in the name of security, is the dumbest shit I have ever encountered, right in front of ultra short timeouts everywhere.
If only I could meet the people who make these decisions in person...
S201
> right in front of ultra short timeouts everywhere
> If only I could meet the people who make these decisions in person...
For what it's worth, I was once forced to implement a half hour auto-logout on a website that could hardly be considered as containing sensitive data because an external pentest firm flagged the lack of a short timeout as an issue. The only way we could show clients a passing pentest was to comply with all of the findings. We all knew it was stupid but management gave us no choice but to implement it.
BLKNSLVR
You must have had your shit pretty tight for the pen-tester to have to scrape that from the bottom of the barrel.
vidarh
Sometimes they will just be excessive because nobody applies any kind of critical thinking and/or because they favour looking like they find a lot over any kind of precision. I once had a site where they insisted on disabling ping responses for the website, citing it as a serious security concern. Because surely nobody would otherwise know that the very public website was there.
I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.
(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)
erhaetherth
Hah..you just reminded of me of something I implemented at my old company. We had a similarly short timeout, so I put in a 'heartbeat' that would refresh the timeout if you move your mouse or do anything.
twobitshifter
Here was a dumb one from me the other day.
- I had to use login.gov
- My password manager had a saved login for it, I didn’t remember it, but it worked
- Then the site asked me for an authenticator app code. I checked my authenticator apps and there was nothing there for login.gov.
- There’s a login another way button so I click that and the other way is use the authenticator app!
- I click what if I can’t get my code?
- It says I must DELETE my account.
- I click to delete my account and it sends me an email.
- The email says to wait 24 hours for another account deletion email.
- 24 hours later I get an email that allows me to delete my account.
What was in the account? I have no idea, but it seems that it must be sensitive for some uses of the login. But if it’s sensitive and important why am I able to delete the account, the most destructive thing? Why is an email enough for me to delete it but not enough for me to get an auth code?
wccrawford
I would guess that the 24 hour delay is to allow the real owner of the account a change to cancel the delete if someone tries to mess with their account.
That said, you're right. This is really weird.
erhaetherth
How is the real owner going to know to cancel the delete? Did it send them...an email?
m3047
It's been too long and I don't clearly remember, but I think I had to use login.gov to establish an account for mumble. There was an option to print out a onetime pad (for 2FA); I chose it just for kicks. Haven't used it but I have it on file "against the day" I lose my normal second factor.
bobbylarrybobby
While an attacker being able to use just a password (and no 2fa) to delete someone else’s account is pretty bad, stealing information from their account may well be worse. There is a lot of personal information that I have that I'd rather see destroyed than fall into the wrong hands.
BLKNSLVR
Even MS Remote Desktop doesn't allow it.
Why do they think password managers exist?
themoonisachees
Mstsc doesn't allow it because the login screen for windows doesn't have copy-paste. It's not that it has been disabled, it's that it was never programmed to have something in the clipboard before logging in. Still, they probably could load the thing first easily, but it's Microsoft we're talking about.
undefined
2024throwaway
I use Hammerspoon for Mac, have a shortcut set up for Cmd+Shift+V to actually type the letters rather than use the paste function. Works every time someone pulls this stunt.
> hs.hotkey.bind({"cmd", "shift"}, "V", function() hs.eventtap.keyStrokes(hs.pasteboard.getContents()) end)
brushfoot
I do the same with AutoHotkey for Windows. It's also come in handy in remote connection GUIs that default to the remote clipboard and legacy desktop applications with controls that don't support pasting.
bobbylarrybobby
Keyboard Maestro is also a fantastic app for this kind of stuff, and even adds a reasonable delay between keystrokes (something like 0.05 seconds) to prevent any weirdness.
reaperman
I also do this with AHK on Windows, even using the same keystroke. Though I add a small 10-50ms delay between each keystroke, otherwise the input can get mangled sometimes.
rattray
Thank you. I added this myself, but with option instead of shift (because cmd+shift+v already does "paste without formatting" iirc) like so:
-- https://news.ycombinator.com/item?id=39640745
hs.hotkey.bind({"cmd", "alt"}, "V", function()
hs.eventtap.keyStrokes(hs.pasteboard.getContents())
end)5ol
Is there any way to do this using a Javascript bookmarklet? I'm on Linux (Wayland), and can't use Hammerspoon or Autokey / Autohotkey.
On one banking website (https://yesonline.yesbank.co.in/) that blocks pasting, even if I enable paste, pasted passwords don't work whereas typed passwords do.
naltroc
Yessss this also solves for Google Sheet's overkill hijack
danlugo92
> have a shortcut set up for Cmd+Shift+V to actually type the letters
Seems like this would be hard to "google"... can you provide a guide or a link to a guide on how to accomplish this?
ihumanable
Maybe try googling the very easy to google for "Hammerspoon" and the guide would literally just be the comment you are replying to.
autoexec
You shouldn't need to trust an addon for this, it's something you should be able to set in the browser.
In firefox you can toggle dom.event.clipboardevents.enabled
amethyst
I wish I could selectively disable only the "paste" events, because it's extremely useful to have "click to copy this value" type of buttons in our various work tools, and I miss the ability to do that every time I try turning off clipboard events to deal with bad actors.
themoonisachees
The solution to this is to treat your clipboard as public in the long term. Don't keep sensitive data in it for longer than you need it. KeePass does this and it's great.
arboles
Even when your password is erased from the clipboard after 10 seconds, that's enough for any of the tabs open in your browser to steal it.
gruez
IME this breaks paste functionality in some web apps (eg. certain terminal emulators or text editors)
arp242
The worst is when it breaks web apps in really confusing, weird, and broken ways.
Slack, for example. Pasting becomes a complete clusterfuck. Things paste in the wrong location, incompletely, etc. I have no idea how they manage to fuck up "paste in a text box"...
Facebook Messenger also broke last time I used it where the tab would start using 100% CPU, but it's been a few years since I last used it, so don't know if that's still the case.
Anyway, I really wish I could do this per website. I have it disabled because GitHub started doing weird and annoying shit when I copy/paste stuff from comments and I absolutely hate it. But ... then it breaks Slack :-/
alpaca128
> I have no idea how they manage to fuck up "paste in a text box"...
For over 5 years Enter has been broken in YouTube's comment text fields. It inserts a new line but often won't move the cursor. Last year for a while they changed the text to black in the dark theme and it was impossible to write comments because the text fields simply never showed up.
Cyberdog
Who’s using terminal emulators and text editors in their browser?
Actually, don’t answer that. I’m afraid of the answer.
gruez
>text editors
google docs, WYSIWYG editors built into any number of webapps
>terminal emulators
ssh/serial consoles on whatever your hosting provider is. Sure, sometimes there's a command line tool to do the same on your OS's terminal emulator, but if it's for a task that you're doing once every few months (eg. recovering a bricked server), clicking a button on a website and getting a shell is just more convenient.
lukan
Wikipedia does. Every site with a CMS. Google docs.
Here to write in the comments you use a simple text editor.
Chrome dev tools can also be used to change the code directly. Quite convenient to have the same dev tool behave and look the same on all the different plattforms.
Also, everything ChromeOS related.
Was that so scary?
alpaca128
Never heard of Jupyter Notebook? And services like AWS also have editors and terminals, just like countless other sites.
rand0mx1
Or you can hold shift button while right clicking to force open menu.
coremoff
This used to break google docs copy/paste - haven't tried for a while though, maybe that's fixed
oldandboring
I welcome this extension as I, too, hate when sites prevent me from pasting (eg. to confirm my account and routing number, email address, etc). It fucks with my password manager and of course it's annoying when intricate password rules are implemented to counter the use of weak passwords. BUT. Yeah there's always a but.
But. I have implemented these exact security measures into web applications. I've been handed the requirements and I implemented them. I asked my client why we had to do this, when "everyone" knows that this stuff is terrible user-experience and can backfire spectacularly for security (the same people who would memorize a shitty password and use it everywhere, will now write their expiring, "strong", impossible-to-remember password on a sticky note or save it to a text file or spreadsheet called 'passwords.txt' on their Desktop). The answer is: we have to, for compliance. To pass a security audit. To prove to some major client or insurance company that we have a number of industry-standard measures in place to improve security. Unfortunately, your bank does not care about the 2% of us using password managers. Everyone else is still memorizing passwords, forgetting them, and making jokes about it like it's 2003.
hartator
> The answer is: we have to, for compliance.
Do they?
I don’t remember seeing any compliance requirements you can’t reasonably push back. This is just overzealous compliance consultants meeting a team that doesn’t really care about their users. People never really question anything.
alex3305
> Do they?
Probably not. In my experience most standards are pretty broadly defined with hardly any technical requirements.
For instance in ISO 27001 it states that you should create awareness in your organisation about information security. A very minimal way is to send a mass email to everyone in the organisation or hang up posters in the office. But I also spoke to someone that was determined that a half day security awareness training was minimally required.
PH95VuimJjqBqy
As someone who has worked in both PCI and PHI environments (and by extension PII), often times these aren't actually about compliance but about someone's interpretation of compliance.
What tends to happen is that auditors aren't going to tell you not to do something you don't have to, they're going to tell you to do to the things you must. Then the ones going "above and beyond" become convinced they're great at this compliance thing and others who don't do it are mistaken.
A perfect example is that PCI compliances requires firewalls but I know of a CISO that insisted on hardware level separation between networks with no way to bridge between them. The amount of pain and harm he did to that company cannot be overstated but he was convinced it was a requirement of PCI-DSS.
fredcy
Our PCI-compliance audit dings us for not disabling autocomplete on the login form fields. That's not the same as disabling paste, but heading that direction.
For personal use I just abandon any site that won't let me use my password manager (Bitwarden).
kalupa
you just abandon banking websites?
toonalfrink
Not that hard nowadays to switch to a decent developer-led neobank
adolph
You know that if paste-blocking countermeasures get too popular then the same sites will just implement virtual keyboards.
But I guess if that is to easy for folks with touchscreens then next will be the virtual mouse to click the virtual keyboard. Maybe add a randomly changing acceleration factor to the mouse to tell human and computer apart.
oldandboring
> You know that if paste-blocking countermeasures get too popular
Considering we've had password managers for ~20 years and most people have no idea they exist, you'll forgive me if I'm not concerned about paste-blocking taking off in popularity.
morder
This[1] alternative bookmarklet was posted here a while back.
[1]: https://bookmarkl.ink/ashtonmeuser/6e3869d8e468e016f22a4b4de...
dugite-code
Bookmarklets are seriously undervalued. This is a simple and more importantly readable fix for the issue.
al_borland
I really wish bookmarklets caught on more. They can provide a lot of the value of extensions, without running all the time and bogging down the browser (or tracking the user around the web). The lack of persistent tracking is probably what led companies like Amazon to abandon them.
evgpbfhnr
I wish firefox would let the wonderbar '*' search feature work with bookmarklets... As it stands I have a few I'll never use because they're 4+ clicks away with no typeable shortcut.
ringer
You can define a keyword for this, eg. ctrl+l - `ks` (kill sticky) - enter. It has some backwards because you still can't search by name and you have to remember the keyword and there is no auto-complete, but once muscle memory gets used to it, it works pretty well. I use keywords for bang searches (!keyword search term) and bookmarklets too.
- https://support.mozilla.org/en-US/kb/bookmarks-firefox#w_how...
nedt
In case of not being able to past I normally right click -> inspect element and in the console write $0.value="value from clipboard". Works almost everywhere.
Tampering with paste is kinda is like turning of autofill and the HTML5 standard is pretty clear when it should only be turned of: ".. particularly sensitive (for example the activation code for a nuclear weapon); or that it is a value that will never be reused (for example a one-time-key for a bank login) ..."
causal
That plainly seems like a mistake in the standard that harms security. What's the reasoning there? That somehow human fingers are less prone to error than password managers?
The only thing I can think of is malware changing the value of the clipboard to fool someone into pasting the wrong thing - but if you open that scenario then you've got all kinds of ways malware could mess with a manually typed field too.
nedt
I see I was missing an f in off. The standard says unless it's an interface on a WMD or similar let the browser autofill. The part of one time passwords that might have been indeed obsoleted by 2FA. On the other hand we might still want a single user interaction there even if it's just confirming the full value instead of typing in the 6 digits - much like passkey is doing it.
undefined
pupppet
Right up there with hijacking Ctrl-F.
dylan604
There's a lot of keyboard shortcuts that mean one thing in the browser but something totally different in another application. Now that it is common for many of these other applications to now be a web app, these keyboard short cuts are possible to start colliding.
Take GoogDocs as an example. Do you want the browser's find or the app's find if you hit ctrl-f in a Doc/Sheet/etc? The vast majority of the users want the app's. Reading a news site, most people would probably expect ctrl-f for the browser's search.
Just pointing out that hard rules will always have exceptions. Except for the TFA's point of copy/paste. Stop manipulating my clipboard with bullshit marketing/tracking bullshit!!!!!!!
8338550bff96
Then the vast majority of users are wrong. The correct answer is for it be the browser's find.
Maybe apps could bind their find/search to ctrl-s since it is incorrect for browsers to bind this to save-page anyway.
dylan604
why is all of the sudden ctrl-s wrong by the browser?? you make no sense here. you've never needed to save a web page? i guess i'm showing my age, while i don't use it daily, it has been a valuable feature for many reasons before.
Edit: >Then the vast majority of users are wrong.
I strongly disagree, and people unwilling to be flexible ruins the experience as those people tend to be the minority
lesuorac
The browser's control-f won't find you text draw onto a canvas element so those users really aren't wrong ...
makeitdouble
There are semi-legitimate cases where this is warranted. For instance when looking at a Notion database, standard Ctrl-F is almost useless, and document search needs to go through the notion API to return results, sometimes even related to the entries that are displayed on screen.
I say "semi-legitimate" because I actually wish they'd map to a different shortcut, but can see the case for user wanted the remapping.
This of course stems from earlier decisions to have that document handling style in the first place. IMHO it becomes a complex debate when on line between an online application and a webpage.
AA-BA-94-2A-56
Shouldn’t CMD+F be reserved to searching the current document/context?
Something like CMD+K should be used for a more global search.
easton
You cant use those keys (Super+) in the browser AFAIK. The operating system expects to use them for keyboard shortcuts.
(Guessing on macOS Cmd+V is actually triggering a clipboard event in JS, the site can’t actually see that you pressed Cmd+V)
undefined
strbean
Recently learned that if you Ctrl-F again after the highjacking, it brings up the browser search box.
Discovered this thanks to a site (don't remember which) that included a tooltip about this fact in their hijacked search box. I was curious if it would work on Redocly search, which has no such tooltip, and it did. I'm not positive if this works universally, or is just an undocumented feature of Redocly's interface and won't work in places the developers didn't make specific accommodations for it.
Env: Chrome + OSX or Windows.
grishka
I just don't get it why browsers allow websites to override their own hotkeys. I'm sure it even required extra code to be written to work correctly.
Linear hijacks Cmd+F for example, very helpfully providing some terrible thing instead of my browser's built-in search that works the same everywhere. (it's the same Linear that thinks you can't not want wysiwyg markdown editing)
nsinreal
Well, for Ctrl+F there is sometimes a reason. Many websites uses technique called virtualization of lists. That boosts performance, but standard Ctrl+F doesn't works anymore properly
BasieP2
I know of 2 websites that do this. 1. Confluence It's super annoying and takes up a lot of screen space 2. Nexus It simply kills it. You can use ctrl-f but it simply will not find text right in front of you..
Really i see no valid case
aitchnyu
The good sites allow you to hit ctrl f twice to get browser's find feature.
AA-BA-94-2A-56
Stripe’s API documentation does this and it gives me the shits, because it seizes up my M2 MacBook Pro for several seconds.
I can’t believe that it’s 2024, and I can’t simply grep some documentation.
dotancohen
The Vimperator/Tridactyl (Firefox VI shortcuts extension) search / is not hijacked on the Stripe API documention.
bovine3dom
FWIW, the / search isn't part of Tridactyl but we do inject some code that frees up / from most websites so Firefox can use it.
It's possible to write your own user script to do it (you just need to add a keypress event handler that does preventDefault() and maybe stopPropagation()) with no need for Tridactyl :)
undefined
ytpete
Cmd-L followed by Cmd-F will always get you the real browser search, at least.
undefined
tom_
And overriding Ctrl+K without even being so good as to give way when you type it a second time. Assholes.
oneeyedpigeon
We're talking about you, Slack. (At least I can now remember which app is the one that breaks Cmd-K, but it's still annoying that I have to think that little bit longer to recall that info. every single time I press Cmd-K anywhere)
dugite-code
Hell just hijacking any standard browser controls is infuriating when it catches you out when you're just not paying complete attention.
Edit: Apparently Firefox has the `permissions.default.shortcuts` config option
UNKNOWN: Services.perms.UNKNOWN_ACTION [0]
ALLOW: Services.perms.ALLOW_ACTION [1]
BLOCK: Services.perms.DENY_ACTION [2]
PROMPT: Services.perms.PROMPT_ACTION [3]
And in the site information panel you can disable the Override keyboard shortcuts permission on a per-site basis. Neat, doesn't solve the paste override issue though. Source: https://support.mozilla.org/en-US/questions/1241294#answer-1...
crtasm
A huge thanks for making me aware of this. permissions.default.shortcuts firmly set to 2.
Lio
My personal hate is when webpages rebind scrolling to zoom.
I haven't used a mouse in almost 15 years. It's a constant source of annoyance when I try to scroll something with a map with my trackpad and it goes crazy zooming in and out.
vault
Anyone one else noticed OP got 399 upvotes for sharing a fork with no significant upgrades compared to the original repo?
Aissen
Original repo author rejected the PR for Firefox support, so the owner of the fork did just that - fork to add 6 lines of manifest:
https://github.com/jswanner/DontF-WithPaste/pull/29
(I admit though that the unrelated .gitignore change had nothing to do in the original PR)
mrunkel
Well, this is for firefox, and the other is for Chrome, so maybe that's a significant upgrade?
luzojeda
IMO upvotes are due more to a "Yes, I agree, hate when that happens" than a "Thank you for this useful tool OP"
zettabomb
The fork is for supporting Firefox, which I consider to be a significant upgrade as I don't use Chrome in the first place. You can see the original repo easily, but it's far more annoying with GitHub to find a particular fork. I can keep it to myself next time if it offends you that much though, no reason to tell other people on HN about something I found interesting.
delegate
Oh yes, 3 files changed compared to parent and the changes are gitignore and updated URLs to the forked repo.
MezzoDelCammin
yep. Quite the WTF
freediver
This was one of those things that frustrated me so much that we ended building this natively into Orion browser (Tools menu -> Allow Copy & Paste). [1]
One of the joys of building your own browser.
idonotknowwhy
Cheers for making Orion. I don't know how you guys managed to support Firefox and Chrome extensions (on iOS) but it's amazing and made moving from Android so much easier!
freediver
Just the sheer determination to build the best browser in the world :)
igetspam
Brave has a "force paste" that I use now instead of Chrome and the linked plugin. I assume the motivation was the same. (What a*hole thinks blocking paste is reasonable??)
Good on you for solving this too. It's a nonsense bit of functionality.
serial_dev
It's always incapable product owners and business people who don't understand security but think they do.
cute_boi
The problem with orion browser is it is not opensource.
quadhome
Why allow pages to disable copy & paste at all?
musicale
It's kind of a misfeature, but the non-evil idea was probably to provide hooks for customizing copy and paste (or other standard command functionality) in beneficial ways, for example seamlessly copying and pasting custom data formats between web apps, or between web and desktop apps.
It is a law of the web that any potentially beneficial browser feature will immediately be (mis)used in an abusive, user-hostile manner.
Spivak
It's not about disabling it, it's about intercepting it by telling the browser that you're directly handling paste events and then doing nothing. The extensions just forces the browser default handler.
panja
Sadly, I am not in that ecosystem :(
ghostpepper
How would you rate the security posture of Orion compared to Chrome?
torstenvl
Well, there are apparently whole classes of JavaScript malware that Orion blocks but Google doesn't...
ghostpepper
This is exactly what I was asking, not sure why my post was downvoted
freediver
Along what axis?
ghostpepper
Size of security team? Mean time to patch actively exploited CVEs? Availability of source? Etc
lolinder
For something simple like this that doesn't really need to be on all the time I've started leaning back towards bookmarklets over extensions. The code is usually simple enough to actually audit, it only runs when you click the bookmarklet, and it doesn't update underneath you without warning.
A few months back someone shared several bookmarklets that they use, one of which was a simple one that disables all clipboard events on the open tab:
eviks
But then you need to click
Also you can get the extension loaded locally, and it will never update
lolinder
I run into one of these broken-clipboard situations once every few months, I can afford to spend an extra click in order to not have an extension active on every website I ever visit.
eviks
It "ensure the extension is only running on sites that are bad actors with copy & paste events a", so what exactly can you not afford?
Get the top HN stories in your inbox every day.
By disabling user input the application security actually gets worse. Users that can’t copy e.g. passwords will use less complex passwords to overcome the trouble of typing in their initially good passwords. But also user experience is degrading when applications enforce complex input and users generate that input like a chad as they should. But now they cannot paste…