Bad Form

I am about to read the deepest parts of your mind and reveal something to you that you may not even be aware of yourself. You hate filling out forms on websites! Is your mind blown yet?

As a web developer, I'll admit that I'm not fond in the slightest bit of creating forms, but my knowledge of what is possible (and relatively easy) as well as the reasons for certain things makes filling out forms for things such as online billing even more miserable, and sometimes just plain scary. The following is a mildly fictional adaptation of real experiences.

TL;DR

  • I don't like to trust people with my credit card or credit card number
  • Sites that disable autofill and pasting discourage use of password managers
  • If there is a restriction on characters in a password, the site may be vulnerable to SQL injection
  • If there is a restriction on password length, the site is likely not storing passwords securely
  • Not mentioned, but if the site is able to send you your password in an email, they are storing passwords insecurely

Having recently moved from Bakersfield back to my hometown, I was setting up eBilling on all of my new utilities. I never felt comfortable paying by phone because that requires telling a stranger my credit card number, and paying by mail adds to the concern by leaving open the possibility of someone grabbing my mail before it is picked up. While paying bills online suffers from its own concerns, at least I have TLS to protect my information while in transit and the knowledge that I'm not trusting a stranger to not write down or memorize my credit card number. Making a payment in office isn't ideal either, since very few are setup to use EMV cards and there have been a times that credit cards machines have been compromised.

So, here I am trying to find out where and how I can make a payment. Of course, the first step involved creating an account, so I'm going to need to register with my email address and a password. Knowing that passwords should be both strong and unique, I've recently switched to using a CLI password manager called pass (which is kinda awesome since it uses Git and PGP). So, I generate a password consisting of 35 or so random characters (pass generate --clip bills/someCompany 35) and paste it into the input for my password. And… Nothing. It won't paste.

Why? What purpose would this company have in disabling pasting when filling out a registration form? That makes it kinda difficult to use any clipboard based password manager, which encourages reuse of weak passwords. Just to be sure, I try to paste by right-clicking, and they've disabled that too. It's annoying, but I can fix this and hope that they don't do the same for their login form.
$$('input').forEach(input => input.removeAttribute('onpaste'));

OK. Now I've got my password entered and repeated and I submit the form. And, I'm not really surprised to see that my password is not accepted… Of course it contains invalid characters! As a developer, I interpret restricting characters as a band-aid hack to prevent SQL injection, so that tells me that the database is available to anyone who can find a single place where input is not properly sanitized. I guess there's nothing I can do except try a weaker password.

So, let's try a long password without special characters. pass generate --no-symbols --clip bills/someCompany 35. Repeat the above step to re-enable pasting and submit.

Your password is too long. Maximum password length is 8 characters. Well that's just dumb! On top of requiring an even weaker password, they've just told me that they're probably storing passwords in plain text. If they were storing passwords properly (salted hash, or even just as a hash) the length of the password would make no difference when stored to a database because the hash of the entire works of Shakespeare is the same length as the hash of a single character. So, not only are they likely to be vulnerable to SQL injection as indicated by limiting the characters I can use, but anyone who manages to find a single place where they neglected to sanitize input will have access to all of their users' passwords without any difficulty.

Fine. At least I'm using a unique password here. I may have to re-enable my ability to paste in my password at sign in, but when someone hacks this site they won't be able to use this password anywhere else. It's almost ironic that they have taken steps to prevent use of a password manager on a site that is a shining example of the need for them.

This whole time I have been wishing that they had done some client-side form validation. Instead of waiting for me to submit the form and await a response from the server only to find out that my password was too long, they should have used the maxlength attribute. And they should have used the pattern attribute as well so that I would have known before submitting that certain characters were not allowed. This would have been more convenient to their users, lightened the load on their server just a bit, and also added another layer of protection by not allowing forms containing invalid data to be submitted in the first place, even if that isn't universally supported and is relatively easy to remove or change.

Submit form again.

No surprise there. They've disabled autofill, so Firefox isn't asking to save my password for this site. Allowing your browser to save passwords is a valid security concern by default, but using a master password (which is not available in Chrome or anything else that I am aware of) reduces the risk of malware being able to discover my passwords.

After spending far too much time signing up for online billing for this site, I am now finally paying my bill. I'm usually not this paranoid, but just because they've done everything else so poorly, I click on the lock icon indicating an encrypted connection and take a glance at the certificate. TLS 1.0. Yeah, I'd bet that they probably still allow use of SSL in some form on here, so they're almost certainly vulnerable to downgrade attacks. TLS 1.0 has had some concerns in the past, but to my knowledge they have all been patched, so I'll regard this connection as relatively secure.

Would you like for us to remember your credit card number for future payments?

Hell no!
After seeing that you are incompetent in the most basic security practices (passwords), there is not a chance that I'm going to add my credit card number to that database of yours.