British Gas reveals it doesn't think password managers are good for security

British GasWell, this is bizarre.

British Gas customer Ben Woodward understands the benefits of having a complicated, hard-to-remember password rather than a dumb, easy-to-guess one.

But, unfortunately, he says British Gas's website is set up in such a way that it prevents him from using his preferred password manager.

British Gas apparently doesn't let you copy-and-paste your password when you try to log into its site.

Anything which discourages users from adopting password managers or makes them less useful is bad for security as a whole.

We have enough trouble getting people to use stronger, unique passwords without sites like British Gas making safety online even more difficult.

Frankly it's a bizarre and inexplicable decision. I hope British Gas reconsiders, and builds its site to make it easier for customers to use a password manager - which I believe the vast majority of computer security experts would consider to be a more secure approach.

Sadly, I suspect British Gas is far from the only website to have a password manager-unfriendly login. If you know of others, feel free to leave a comment and maybe we can help them see sense.

Update:

This looks encouraging!

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

19 Responses

  1. Barry Neilsen

    July 15, 2015 at 1:08 pm #

    Annoying, and an odd policy statement, but not unique I'd have thought. My online bank site, plus one of my credit cards, asks for random characters from my password. I have to have my password manager open and visible on screen so I can count off the password characters each time I log on. Maybe some password managers can deal with this but the last time I checked the one that I use, KeePass, does not. I haven't thought through whether these restrictions actually strengthen security or weaken it.

    • Graham Cluley in reply to Barry Neilsen.

      July 15, 2015 at 1:17 pm #

      Hi Barry – long time no chat! (Barry was my first ever boss in the anti-virus industry)

      Yes, I've found that an issue too with some sites. They demand I don't enter my full password, but instead ask for the 7th, 12th and 24th character instead. It's almost made me want to have a less complex, less random, shorter password in frustration.

      Almost.

      What I tend to do is make a note for those sites in my password manager, listing each letter of my password in tabulated form so I can easily work out the position of each letter in the sequence.

      For instance, if my password was qtyBU{3Ek,M?dUoFvwf7

      I'd say

      1.. q
      2.. t
      3.. y
      4.. B
      5.. U
      6.. {

      You get the picture…

      • Phil Nash in reply to Graham Cluley.

        July 16, 2015 at 1:18 pm #

        "(Barry was my first ever boss in the anti-virus industry)" – I thought the name sounded familiar. Hi Barry!

        As for keeping passwords in tabulated form (in a password manager – 1Password in my case) that's exactly what I do too!

        It doesn't overcome the visibility angle, but I tend to do it from the app on my phone – even if I'm entering it on a desktop – to make it less immediately visible.

    • Techno in reply to Barry Neilsen.

      July 15, 2015 at 7:27 pm #

      In Keepass you can set the Auto-Type to do individual characters using {PICKCHARS}. For example, for one site that requires 3 characters I set the Auto-Type to:
      {PICKCHARS:Password:C=3}

      I click on the first password field, right-click and select Perform Auto-Type. This causes a window to appear where I pick the 3 characters and it inserts them.

      You may need to play around with it to get it right. For example, a delay can be useful
      {DELAY=200}{PICKCHARS:Password:C=3}
      :
      I haven't yet tried the scenario where a tab is required between each field. Presumably it would be:
      {PICKCHARS:Password:C=1}{TAB}{PICKCHARS:Password:C=1{TAB}{PICKCHARS:Password:C=1}

  2. Barry Neilsen

    July 15, 2015 at 2:20 pm #

    Yes, I do that too. Glad to find independent confirmation :)

    By the way, I've been following your posts for quite a while now. Great to have such a useful and trustworthy source of info with a pedigree – probably not the right word – that I don't have to verify for myself. Congratulations on the awards, too.

  3. Peter

    July 15, 2015 at 3:06 pm #

    Password manager My1Login uses the random character model to get access to the manager itself. I quite like My1Login, have used it for several years and have about 170 accounts stored in it.

  4. P. Anchen

    July 15, 2015 at 5:24 pm #

    British Gas Help: "I understand but…"

    Actually, the "but" usually means they DON'T understand. However, their updated reply does indeed look encouraging.

    It will be interesting to follow this story, especially if it turns out that British Gas changes their idiotic policy on password managers. Such responsiveness must surely be a clear and egregious violation of the Laws of Bureaucracy…especially apropos if utility companies are as heavily regulated in the UK as they are here in the U.S., where they're "private" in name only.

    A gas service utility would never get away with that kind of responsiveness here, where all signs of genuine government service are increasingly stomped to death by a state system that's fully committed to bureaucratic incompetence. The recent theft of 21.5 million people's personal information at the U.S. Office of Personnel Management is a case in point.

  5. Techno

    July 15, 2015 at 7:30 pm #

    Virgin Mobile has also disabled paste in their password field. It seems that this is becoming the accepted practice.

    In Keepass I get around it by using Auto-Type which inserts the password one character at a time (set the Auto-Type to {PASSWORD} only).

  6. Anonymous

    July 15, 2015 at 9:27 pm #

    Password managers are A solution, not THE solution (the latter of which probably doesn't even exist).

  7. Gordon Hay

    July 16, 2015 at 1:42 am #

    The issue with the British Gas site is, like some others, signing out returns you to the log-in page so that if you have auto-login enabled in LastPass you go straight back into the site, which I suspect is the reason the guy was trying to paste his password in rather than allow auto-login.

    Because it behaves like that I have auto-fill enabled and auto-login disabled for BG to get round that problem, just having to click the log-in button manually.

    The answer for BG is to have a "bye, come back soon" page appear after signing out, like, say, Tesco or Virgin.

  8. Jeremy Clulow

    July 16, 2015 at 12:23 pm #

    I just logged in to British Gas with LastPass and all worked quite normally with auto form fill. I use a variety of ad, Flash and script blockers in Firefox, so perhaps that helped me and might help others.

    • Vagelis in reply to Jeremy Clulow.

      July 16, 2015 at 12:28 pm #

      Yes, disabling Javascript does the trick. It is a workaround…

  9. Vagelis

    July 16, 2015 at 12:27 pm #

    Ebay has the same policy… Plus (this is not relevant to this subject) Paypal does not provide 2 factor authentication for non US users… It is just infuriating…

    • Gordon Hay in reply to Vagelis.

      July 16, 2015 at 12:38 pm #

      I'm in the UK and I have a form of 2FA enabled on PayPal – after the initial login I have to request a code to be sent by SMS to my phone, enter and submit it for the login to proceed. If I remember correctly you can set it up in your account/profile page.

  10. Kevin Waite

    July 16, 2015 at 12:42 pm #

    Hi. I use the PasswordSafe manager and it provides a very useful Display Subset of Password function. This neatly handles the situation where my bank wants the 13, 23 and 28th characters of my password: you just type those numbers and get the characters back.

  11. Martin Tomes

    July 17, 2015 at 6:56 am #

    There is a bookmarklet here which will disable the past blocking.

    http://meyerweb.com/eric/thoughts/2015/07/07/undoing-oncutoncopyonpaste-falsities/

  12. Gordonjcp

    September 18, 2015 at 10:58 pm #

    Passwords that are a random jumble of letters and symbols are stupid. Password *managers* are stupid. Don't do stupid stuff.

    I take it you've seen the XKCD cartoon about passwords?

  13. Graham Anderson

    October 29, 2015 at 10:03 am #

    Gordon, the battery horse staple whatever strategy only scales to looking out for a few important passwords that you don't want to commit to a password manager itself.

    I have over 600 logins in my password manager, and there is no way I could use the XKCD method to create unique, strong passwords for all of those sites and remember them. If you can, bravo!

  14. Raphael

    December 13, 2015 at 11:59 am #

    Graham, Google-Login also hardens the use of password managers. I use 1Password and have to click three times (once for the "remember me" deactivation) to login into my google account. It's on purpose for sure. They want you to keep your cookies, keep being logged in so all their web analytics plugins (used by millions of websites) and google internal services can be linked to your account. Knowledge sells and could also be put into good use (prevention of misuse etc.). People clearing their caches, cookies and returning with new sessions are harder to track. As a developer I can make sense of all the reasons behind it, but it's a bad decision overall.

Leave a Reply