Why you should never copy paste your passwords?

Everyone knows that the Password input field(login field) also accepts copy+paste and this is the biggest security failure since the internet era. If you think, you are smart enough and can’t be hacked by a hacker you should probably give it a second thought. Sometimes little mistakes can be highly devastating and there is no shame in admitting that we all do make mistakes and careless at times.

never copy paste password

You will never hear any security personnel or any website saying they are hack-proof because the truth is, there is nothing called hack-proof, but the noobs just don’t admit it. The hackers have been successfully phishing bulks of credit card data, social security numbers and off course your online identity with very simple tricks.

Do you know every big and small company has a hacking history? Yes and these companies includes twitter, Google, Microsoft and also NASA. of course you can check that for more information if you want. And remember No one is safe here, if you think you are smart enough, buddy you are at big RiSk.

Now lets get back to our topic. almost everyone of us do copy-paste work..Right? isn’t it so simple just press Ctrl+C (copy in windows) to copy and Ctrl+V (paste in windows) to paste?. we all are so used to it that we even copy-paste our password in the login fields. some are so lazy that they cant even type their 8-char password. and that’s where comes the biggest Risk. believe me it’s not at all safe. and Actually, it doesn’t really matter how complex or large your password is, if you use copy and paste option to enter password using any browser such as Internet Explorer then you are at a Big Risk my dear.

Most of us are active on many websites including social networks and for good reasons we setup different passwords (which is a good thing), But gradually it becomes tedious to remember so many passwords and we end up creating an excel sheet or text document of our passwords and later we just copy and paste whenever required. So we finally make that small mistake which is enough for the Cyber Criminals.

How is This Possible?

when you copy any data on your PC including all the big files such as movies,etc, it gets stored in the clipboard (your system) and this clipboard data is accessible from the internet with simple JavaScript and can be further stored on a database using any server side language. It is a very simple yet effective trick to steal unauthorized data. that means your friend sitting far away from you on the PC can access any data that you have copied using simple JavaScript. Yes It is a very simple yet effective trick to steal unauthorized data (personal information).

Try it yourself!

Works only on Internet Explorer

  1. Copy any random text from this page or from your PC.
  2. Open your Internet Explorer 6 and go to http://www.hacker9.com/your-clipboard-data

You will see your last clipboard data on the message box, Surprised?,. you shouldn’t be..
If you are using Internet Explorer 8, you will be asked to choose whether you want to allow the webpage to access your clipboard data or not.

The clipboard hacking Java Script for IE

<script language=”JavaScript”>
var content = clipboardData.getDataundefined”Text”);>
alertundefinedcontent);
</script>

This script works only on internet explorer, and not on Mozilla Firefox browser or any other but this doesn’t mean that you are safe. there are scripts for that too. for security purpose i have not listed other scripts.

As you saw it successfully displayed your last copied text, its also possible to save that data on the database on another server and later on hacker can easily access that that. This test proves that how unsafe it is to work with CTRL+C while you are online. Hence, do not keep sensitive data – like passwords, credit card numbers, bank account number, PIN, ATM code, etc – in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard to steal your sensitive information.

Protection for IE users:

To avoid clipboard hijacking, do the following:

  1. Go to internet options and security.
  2. Press custom level.
  3. In the security settings, select disable under Allow paste operations via script.

Now the contents of your clipboard are safe.
Please forward this article to as many friends as you can to make them aware of this issue.

Thanks to Amol Bharti-Security Researcher. visit him at amudee.com

  • Ashwin..yet another useful and informative post. I have been doing the same a lot these days. Simply copying and pasting passwords for easy login but it certainly looks dangerous from the way you have described it in your article. Will keep it in my mind forever. Thanks buddy…Keep writing and informing 🙂

  • Im using windows7 when i followed your trick a warning message pop-ups, showing wheter to allow or not access the clipboard to internet explorer.
    if say ‘no’ it wont show
    So nothing thing to worry unless we click ‘yes’.

  • vijay

    Just like you told the protection for IE, is there any protection that we can do for other browsers like Firefox/Chrome because mostly these are the browsers that are used…IE is seldomly used..

  • Water Duck

    I preferred to send myself an email with an innocuous title and which I saved along with a few other emails.
    I’ve been copying and pasting from that email for years.

  • Concerned Citizen

    Your grammar and punctuation suck.

  • Kaligus

    As an IT professional I have found it is far safer, easier, and more
    effective to teach people to ALWAYS clear their clipboard by copying
    useless text after a password paste, use a different password
    EVERYWHERE, remembered using a password safe program, randomly
    generated, and as long as possible.

    If you can remember your
    password it is insecure is still far more effective than reverting to
    short, easy to remember password that is the same everywhere.

    Lets say company “a” gets hacked and their password list is compromised,
    everyone who has remembered their short, easy to remember password now
    needs to change their password everywhere to be safe.

    Asking most people to use a password safe and not copy/paste is about the same as asking a child not to go nuts in a candy store, not asking people to use
    a password safe is making the job of miscreants easier because they
    only need to hack one company and they have a large useful cache of
    passwords.

  • hallo thnks for info, i was wondering if clipboard is accessible by other running processes apart from browsers? and also if you say IE is safe with that option disabling, what can we do in other browsers? and is it really really safe this way?

  • Anonymous

    If you are a ‘Certified Ethical Hacker’ giving out bad advice like this, then you are a disgrace to the entire Information Technology industry.
    This article is clickbait and FUD.
    Remember the 10 Immutable Laws of Security: If a bad guy runs their program on your computer, it is not your computer anymore.

    It doesn’t matter if it is a script on a bad website or what have you. You lose control and there is little that the browser or computer can do to mitigate that.

    REAL Security is as follows:

    -Use a password manager like KeePass to create and securely store encrypted long/strong and unique passwords for every website.

    -KeePass will auto-clear the clipboard after 12 seconds; you can reduce this time to 5 seconds or less if you like.

    -Change your passwords often and monitor your online accounts. While users are attacked, it is far more profitable for the hacker to start attacking the services themselves now. Your information can be stolen/compromised no matter what you do on your end. Attacking a weak web service and gaining 100+ million passwords is a jackpot for hackers.

    And some real analysis:

    -Don’t listen to idiots like this that are the reason that websites block copy & paste into password fields now.

    -Using a password manager to copy & paste a lengthy strong password instead of being forced to type it in manually (and mess it up) will INCREASE security instead of decreasing it.

    -The clipboard spy and other spyware will get your info even if you type it into the password field, meaning you’d need to use a virtual keyboard and hope they aren’t taking screenshots while you do it (which they likely are doing anyways).

    -Meaning you’d need to use a virtual keyboard to input your password only on the Secure Desktop on Windows. And only use services that would support that feature and require it. And that isn’t going to happen if they can barely manage to stop using RC4-only ciphers after 5+ years of warning.

    -Meaning if you have to manually hunt and peck each unique password for every website using a virtual keyboard then you are more likely to choose shorter and easier to remember passwords. That’s how humans work.

    -The MAIN method of ENHANCING security is to NOT prohibit this copy/paste is evil FUD and to use a password manager to secure your accounts and change your passwords often (once a year is fine, once every 3 months for sensitive info is better).

    • John Doe

      Or if you really want to talk about security?
      Require that everyone only access your website using Linux and either Chromium or Firefox.
      Good luck with that 😉

    • Sir if use keepas, can i safely copy paste a password? Or even with keepas we shouldnt do it? Cause didnt really understand what you say. And also what difference does it make tha clipboard is erased every 5 sec by keepas since the content of clipboard will have been recorded by any app, or any browser. Please answer with easy english if possible