Our iphones store all our passwords as text. I’ve never noticed that until about a year ago. Of course to view them I’d need to enter my device password, but that’s just 6 digits. We don’t use fingerprints b/c we need to access each other’s devices. People can also make you press your finger to it for some nefarious reason or because they are border control and can pick on you if they feel like it… So if I’m traveling they can access my bank account’s password? What gives?
I “canceled” my Apple two-step authentication a few times (we seem to stumble into it every time we log on) because, well, I got stuck trying to type one of our randomly generated passwords to get in, and my time expired – they locked me out. I’ve had a similar problem with my bank account… I can’t remember what I was doing wrong, just that it seems to be connected to the fact that it’s the two of us and we share stuff, and they don’t want us to. Works for me when accounts verify me with a text, the rest of the acrobatics I just don’t really get.
I use guest accounts whenever possible, and I don’t store my credit card on most sites (hoping they don’t do it on their end) and I routinely lie about my birthday and don’t easily give out personal information and use randomly generated passwords on sensitive accounts, but I find the whole landscape of user names and passwords wherever I turn exasperating. Though, I suppose, it’s only one part of the constant harassment my digital devices --and the companies that leverage them-- put me through. Computers were supposed to save us time and make things easy, but at this juncture, it feels like more and more of my time and energy is being squandered on cryptic and bureaucratic BS.
That is truly appalling for a company that should understand security. I’m not even sure what insecurity they think they’re protecting against by blocking pasting. But it fundamentally undermines the security of all their accounts. If it were me, I would cancel the card as I wouldn’t trust a company like that to get security right (never mind my low tolerance for the hassle this would cause me when trying to manage my account). But if you don’t feel you can do that, you might want to check out “Stop the Madness”. Overriding paste prevention is one of its features.
FWIW, the 1Password plugin is still working for me with Safari on the Citi website for my Costco card. But I also did cut and paste for the user ID and password and they worked fine, too. (I don’t have a 64 character password, but it still pasted fine into their website.)
They may not “support” it, but it still appears to work fine on Safari and Monterey for me.
Likewise, I was able to log in (via www.citi.com) using Firefox and its built-in password manager. I don’t think it uses the clipboard to fill in the password field, but it was able to insert the correct data.
The passwords are stored with encryption. When you’re prompted to enter your passcode (or if you have Touch ID or Face ID enabled and that’s an option) that’s used to decrypt the entries that are needed to display or fill it. Then the key is discarded from memory.
Six digits is likely not enough for full security, at least against governmental-scale interests in the contents of your phone. What’s largely recommended is a longer PIN or a full-scale passphrase.
I agree about the concerns related to Touch ID (or Face ID) because their uses can be coerced. As someone who lives in and travels within the United States, am not involved in political activism or international commerce, I haven’t worried much about the potential compulsion for my biometrics to be used against me. If I needed to travel outside the country, I’d strongly consider what I brought with me and disabling Face ID/Touch ID. Many people who travel to China and other countries bring burner phones and laptops and set up burner accounts before they travel so they can discard everything on their return.
Just small piece of info, you can have more than one person’s fingerprint on the same device. My wife and I have own iPads and iPhones and separate IDs but we can both unlock each other’s devices with fingerprint. I believe same applies to Face ID.(Article)
While I agree with the idiocy of preventing pastes, if you have Keyboard Maestro, you can work around it by creating a macro that consists solely of Insert text by typing %SystemClipboard%. Invoke the macro, and whatever’s on the clipboard will be typed as if you were typing it by hand.
(I imagine other text macro applications allow the same sort of thing, but Keyboard Maestro’s the only one I’ve used.)
My experience this morning is the same as @jrdodds. I wasn’t able to log into Citi’s site with 1Password or with cut-and-paste. It’s really annoying since my password is long and random. I tried both Safari and Firefox.
EDIT: 1Password still works for me; it turns out Citibank decided to invalidate my password for some reason.
Thanks for the article, @glennf. It was about 15 years ago that I started asking my employer why it required a password change every six months. As you might expect, “because” was the most intelligent answer I received.
Chase did something similar to me (not paste, but a 2FA verification method), but it didn’t inform its own reps, who had no idea that something had changed. I read about the change on a discussion forum.
FWIW, I have a note that tells me a possible workaround in Firefox to preventing pastes. The note says to set dom.event.clipboardevents.enabled to false to enable paste if web page has disabled paste. (To do this, enter about:config in the address line of a tab, acknowledge the warning, search for dom.event.clipboardevents.enabled, and double-click it if it’s true.) I welcome comments about why this works and whether it’s a good idea.
Here is an article on–and link to–the interview with Bill Burr, the “former National Institute of Standards and Technology manager [who] admitted that a document he authored on crafting strong passwords was misguided.”
Theft, no: someone has to have access to your passphrase or biometrics. The data is stored in such a strong fashion that there’s no known feasible way, even for governments, to extract passwords from an iPhone, iPad, or Mac. Brute-force cracking only works on limited-length passwords, that has to round-trip through the actual device, and Apple is constantly patching exploits that make that easier (and suing companies that provide the service, even if they offer the service to the FBI).
Coercion: always an issue. Rare that anyone who isn’t the target of a government for illegitimate reasons (activist under a dictatorship, arrested wrongly in a democracy), an actual criminal, or being robbed in a very particular way encounters that.
I decided to reset my password for Citibank last night and entered my old password for the new password so I wouldn’t have to hassle with updating the entry in 1Password. The website didn’t complain that I was reusing an old password; it complained that the 50-character random alphanumeric password was weak because it did not have any special characters in it. After I updated to a password with symbols, filling from 1Password worked fine.
So I think the rep you spoke with might have been wrong about the reason it wasn’t working for you. It seems Citibank decided to require at least some of us to reset our passwords, but I don’t recall receiving any notice from them.
Perhaps the original (and as far as I can see, the only valid) reason for expiring passwords is because of the risks of shoulder surfing. This could have been a real issue in open-plan offices or where screens are visible by clients. There is a real risk that your password will eventually be seen by someone who wants to get it (ie by looking at your fingers on the keyboard). Any parent will tell you that it is not easy keeping passwords or PIN codes secret…
Not to mention the risk from video surveillance. Any time you enter your password in a space where there might be cameras, you risk someone accessing the video and figuring out the password from your keystrokes.
Then there is inadvertent visual disclosure - accidentally typing the password in the user or other plain text field. There is a risk someone sees (or it is captured on video).
Of course, using password managers eliminates that risk.; the password never appears in plain text in ordinary operation. with the appropriate plug-in or extension for a browser. the password recognizes the URL, and either on its own or once you start typing a user id, fills in the the rest of ueerid and the password makes by '*'s. If you let the manager create the password, you also can see it only on request. If you need to copy it and paste it into a password field, that too is totally masked. At worse, the snooper will only ge able to determine its length.
If it were me, I would cancel the card as I wouldn’t trust a company like that to get security right (never mind my low tolerance for the hassle this would cause me when trying to manage my account). But if you don’t feel you can do that, you might want to check out “Stop the Madness”. Overriding paste prevention is one of its features.