Tag Archives: paypal

Paypal, vulnerability through obscurity?

I have been member of Paypal for quite some time, and I use it rarely.

When I use it, I want it to be a quick, seamless experience. I log in, do my business, log out. Thats it.

Reality is different. Although I must admit, it does not help that I forget my password every time. Since I use Paypal every 6 to 12 months I can’t get it in my muscle memory.

I bought 1password a while back to help me remember only one password (you don’t say?) and let it generate strong, secure passwords. I have been changing my passwords on all websites I visit ever since.

And so Paypal and I meet again. And I want to change my password.

The last time I wanted to change my password at Paypal it was a very, very unpleasant experience. I actually was glad I got through the process and wanted to forget about it. This time I decided to write about it because it is a long while back and it really is bad.

In a sense you could say Paypal has been compromised, not technically but through usability.

Before I could change my password I had to answer my security questions which I filled in whaaaay back and I could hardly remember them. Since I did know the answer of the security question but I could not write the down *exactly* I had a hard time getting past the first step. So I get it, you want to protect us from others changing our password when we forgot to log out and such. Why not ask the password *again* (old password) at this very step? (This step did not happen after I wanted to change my password again, so it is as if this is into effect when the user has not logged in for a while.)

Once I got past the ‘security questions’ page I actually get the familiar 3 fields: old password, new password and new password again.

I open 1password, let it generate a strong password and then I got smacked in the face again. You may not copy and paste a password in the ‘new password’ fields. Paypal deliberately blocks any copy/paste actions.

We’re not finished though, because Paypal is also very specific about what your password may or may not be.

– It may not contain your name or email address (which makes sense)

– It must contain a symbol, a number and a capital. Even though it does not even matter for your password strength. (it is not like computers actually *read* your password as humans do)

– It has a maximum length. What!? Got worried passwords take up too much space? I can’t possibly imagine why you would restrict this.

– Your password should be hard to guess for a relative or friend. (which kind of infers the 1st point)

Since I cannot copy/paste the password, I have to copy/paste the password in an editor. Re-arrange my windows so I can fill in my password and see it at the same time. After I filled the first new password field, I actually get a warning that my password is at maximum length. As if it is a bad thing my password is 20 characters long.

I go on, type the password again and (of course) I made a mistake (typo), which results in a red message saying the passwords are not the same.

So here I am, trying to change my password and about to give up because it is as if Paypal does not want me to have a secure account.

I believe we got here a ‘we think too much for the user’ syndrome. I believe Paypal does want their users to have secure accounts (the what part), but how they implemented it is having an opposite effect (at least on me). So how could they have done it better?

– get rid of the security questions first (*)

– don’t restrict maximum password length, keep your minimum. Seriously, there is no reason to do this.

– don’t enforce special symbols, capitals or numbers. Instead hint them how to create easy to remember yet very strong passwords.

– allow copy and pasting. If you are afraid of some users being compromised by that, then they probably are being compromised on several levels.

And perhaps the most important suggestion: Make it an easy, seamless and effortless to change your password.

(*) – Yes, this might indicate that if someone knew my password they could change it, which perhaps the security questions wanted to prevent. However, if someone knew my password then that is a problem on itself. And you’re probably trying to fix the wrong problem.