Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Until recently, treasurydirect made you login using your mouse by pressing a keyboard laid out on a screen. This is a government website in the US for buying treasury bonds.

I didn’t know this when I made my account and fired up keepass per usual to create a massive random password. It takes me nearly 5 minutes of carefully pressing buttons on the screen and trying to keep my location in the password (you can’t see what you entered) just to get in.



Both of these reflect a security approach from early 2010s when keyboard sniffing was the worry-of-the-week. The idea was that even with all keystrokes intercepted, the full pw was never sent via keypresses.

One of my pals around that time turned on accessibility features like onscreen keyboards and diligently never typed a password. In a shell, a site, whatever.

It's unfortunate that these sites (Treasury and UK mortgage) were built around this time, but also shows that with all the progress with tech, security is still glacial in places. And like all tech, we get stuck with trends for a while (like skeumorphism in ux design).


> (like skeumorphism in ux design)

Say what you want about skeumorphism, but it at least gave people a fighting chance to figure out what in the world the target actually does.


I got around this by just editing the HTML. Worked like a charm


Also demonstrates how pointless that theater was.

A lot of GOOD malware don't "sniff keys" because that gives them random stream of garbage that has little value. No human is going to sit there and hand-decipher that garbage. Instead, they either inject browser extensions, intercept at the Win32 layer, or intercept the HTTP traffic upstream of the browser giving them the raw form-fields with URL which can be packaged and sold.

So all TreasuryDirect was doing, when they were doing this, was inconveniencing real people while the malware didn't even notice. Utterly insane. Glad someone had them quit it.


a lot of efforts to prevent malpractice are like this. Anti-piracy software only really hurts paying customers for example.


These days I'd be scared that fails some biometric spyware and gets your entire account instantly banned+deleted with no recourse.


I found some sites recently that have big ASCII banners in the console log when you open devtools telling you to stop being naughty.


Yeah, you could just delete "readonly" from the input, then try the password manager autofill again. Thankfully no longer necessary.


That's kinda hilarious though.

Also a nice example of when security through obscurity is harmful. "If we show a picture of a keyboard instead of taking text input, that'll stop the hackers!"


Incidentally, you could find the hidden input in developer tools, and just type your password there like a normal person. But yeah. That site is so bad that I never bought more ibonds even though they were a great deal.


You could open dev tools and modify the input then pasting worked.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: