Display/copy specific characters from password

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Display/copy specific characters from password

Postby Sibiu2 » Wed Jan 02, 2013 8:12 am

I have to log on to a site that asks me for random characters from my password each time to authenticate myself. With a randomly generated password I have to display it in the clear and count along it the specified number of characters.

This is both time consuming, error prone, and means I cannot log into the site in a public place as the clear password is exposed on the screen.

Please could you add a dropdown to the screen allowing me to either display or copy to the clipboard a specific character from my password so that I can paste it into the website.

Thanks

Paul
Sibiu2
 
Posts: 1
Joined: Wed Jan 02, 2013 8:03 am

Re: Display/copy specific characters from password

Postby passwordfairy » Tue Apr 23, 2013 6:09 am

I second this request. It is becoming quite a common feature, especially of financial sites, to ask for random characters. When we use secure passwords generated by LP it is much harder to be able to remember which character relates to the random sequence and the consequence is that we will either use less secure passwords or, as the OP said, have to resort to displaying our secure password openly in order to enter them.
passwordfairy
 
Posts: 10
Joined: Mon Oct 24, 2011 8:05 am

Re: Display/copy specific characters from password

Postby JoeSiegrist » Tue Apr 23, 2013 11:22 am

We hate these for a number of reasons and suggest you bitterly complain to your financial institution on the following grounds:

1) It is always less secure to only give a portion of your password to login.
2) It is guaranteed that the financial site is storing passwords incorrectly, in the clear, without hashing or key stretching of any kind. Financial site gets hacked? Your password is out in the wild. For many people who are uninformed about passwords, they reuse passwords, it's a terrible security practice.
3) It's less convenient for people who are doing the right things like yourselves, and for everyone really.

None of these are acceptable, we should start a list of companies doing this so we can publicly shame them into storing passwords safely. It's unacceptable that financial institutions store passwords in way that they can get to them in the clear. As a potential workaround we could probably modify the bookmarklet to provide you this functionality, but the right move is not accepting brain dead practices by your financial institutions.
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Display/copy specific characters from password

Postby jonat » Tue Apr 23, 2013 1:08 pm

I have yet to encounter this misguided approach to security and agree with Joe that it indicates that the site has unacceptable security practices.
jonat
 
Posts: 2193
Joined: Thu Dec 09, 2010 8:42 pm

Re: Display/copy specific characters from password

Postby gruntfutuk » Thu Jan 02, 2014 12:57 pm

I suffer this now with several financial sites. Whilst I agree in principle with the criticisms you, LP, have made about sites taking this approach, and have complained, it seems unlikely that these institutions are going to shift easily and in the meantime, I have to suffer.

It is worth pointing out that, in my case at least, this random character stuff is only one part of their "security" as they also ask for a passphrase and sometime a code generated from whatever additional device I have to carry around.

Therefore, I really really would like to see you add a feature to be able to quickly copy the nth character from the password without having to reveal them to observers or making me count character positions. (Actually, one site requires me to select the correct character on a drop down rather than pasting it in, so I do need to reveal the nth character in my password then so I know what to select.)
gruntfutuk
 
Posts: 47
Joined: Mon Nov 04, 2013 4:44 pm

Re: Display/copy specific characters from password

Postby craigpenton » Tue Jul 15, 2014 6:20 pm

This would be a really useful feature if added. I can see that it would not be trivial to implement but there are still a number of sites that use this manner of authentication (usually only part of the login process so not sure I entirely agree with the very negative security comments).

Fingers crossed!
craigpenton
 
Posts: 2
Joined: Tue Jul 15, 2014 6:17 pm

Re: Display/copy specific characters from password

Postby nh592 » Sat Aug 02, 2014 11:06 am

I agree that it would be a useful feature to have. All the financial websites I have come across in the UK that don't implement multi-factor authentication require specific randomly selected characters from a password or PIN number to be entered. It would be even better if lastpass could just automatically fill in the specified characters to avoid the need for additional software, such as ewise accountunity, to access such sites. Having to display a password from lastpass as cleartext and then pick the characters and enter them correctly into a web-browser is not easy and potentially insecure. It is not true that the lastpass master password is the last password you have to remember while lastpass continues to be incompatible with so many sites!

I'm not convinced that Joe's assertions are correct:-
1) If there is any risk that your computer is infected with malware (e.g. keylogger) then it is possibly more secure to only enter a subset of the character in your password, providing that the subset is large enough and that the character positions are changed randomly on each attempt. It is difficult for any of us to be 100% confident that an internet connected computer is free of malware.
2) I don't think it is necessarily true that such sites store passwords as plaintext. There are various different methods they could employ to encrypt the data and still have the ability to decrypt specific characters.
3) It is certainly less convenient, but there is little chance that such organisations will change to a method that they perceive to be less secure.
nh592
 
Posts: 1
Joined: Sat Aug 02, 2014 10:15 am

Re: Display/copy specific characters from password

Postby p8o7Ht2VTvNA » Wed Aug 27, 2014 12:33 am

From my guess, the primary reason why they do this is because financial institutions often need to ask for information over the phone; it makes sense for them to only ask for specific characters if they need to verify your identity over the phone.

That being said, I came to this thread precisely because I was looking for a way to get Lastpass's automated system working with character requests. Is there not a way for us to specify the location of the fields, and Lastpass can detect which character it needs to insert based on the surrounding text?

This is a common thing with financial institutions in the UK, though both my financial institution in the US and Canada don't require it.
p8o7Ht2VTvNA
 
Posts: 2
Joined: Wed Aug 27, 2014 12:30 am

Re: Display/copy specific characters from password

Postby mail284 » Wed Sep 10, 2014 5:43 am

I created a thread with a different suggestion to the problem. viewtopic.php?f=7&t=145105

Often websites requires authentication by entering the X digit of a password. On long passwords its very difficult to count the digits quickly...

1) Feature to display the password with the digit number. E.g.

1) P 2) A 3) S 4) S 5) W 6) O 7) R 8) D

2) Extend the above feature to unlimited sub=passwords in the notes section
mail284
 
Posts: 7
Joined: Tue Sep 09, 2014 7:39 am

Re: Display/copy specific characters from password

Postby progers885 » Fri Sep 19, 2014 8:48 am

I currently use roboform and use a "login tip" pop up to display the password so I can select whichever character/s of the password that needs to be entered I appreciate the former comments that this is not good programming practice however the bottom line is this is what European financial sites are using as PART I repeat PART of their authentication.

I was under the impression that password managers were there to make my life easier, I can understand that coding filling in the specific character of the password being requested be complex so I don't understand why you will not implement a roboform "login Tip" to work around this problem.

Taking the moral high ground on security (re viewtopic.php?f=7&t=145105) results in your customers suffering as believe me the European financial institutes are not going change and if anything more appear to be adopting this verification stage.

I was looking into switching from roboform as every time firefox has a major upgrade the roboform toolbar disappears and I have to get a new version of roboform to fix this; but it looks like I will stick with roboform for the login tip feature.
progers885
 
Posts: 3
Joined: Fri Sep 19, 2014 8:12 am

Next

Return to Feature Requests

Who is online

Users browsing this forum: Sourav36 and 11 guests