-
-
Save nikolaplejic/3654637 to your computer and use it in GitHub Desktop.
PayPal blocks copy/paste actions in their "change password" form, | |
citing some irrelevant security issues as the reason. That's a | |
load of crap, and they know it -- disabling copy/paste makes it a | |
lot harder to use a decent password generator and a lot easier to | |
screw up your pwd when retyping, especially if it's a long one | |
(as it should be!). | |
So, here's the quick'n'dirty way to use an externally generated | |
password in your PayPal account: | |
* open the change password form; | |
* open up the console in your browser of choice (recent versions | |
of Firefox: CTRL+Shift+K, Chrome/Chromium: CTRL+Shift+J); | |
* you should see an input form at the bottom of the console; | |
copy/paste each of the following lines, replacing the string | |
"password" with your desired pwd and hitting enter after each | |
one: | |
document.getElementById("new_password").value = "password"; | |
document.getElementById("retype_password").value = "password"; | |
* close the console by pressing the relevant key combo once | |
again, submit the form & voilà! |
You can't change your password without javascript enabled. It's pretty awesome!
Thanks. All my passwords are random sequences and my Bank, eBay and PayPal passwords are 22 characters (okay, PayPal yanks me down to 20 characters). What idiot at PayPal thinks that typing a random sequence of 20 characters is plausible? What idiot believes that it's more secure to force me to use a shorter or less-random password?
Thanks, works perfectly.
Won't work with pass phrases that are longer than 20 chars, even if you try to "inject" it over the js-console.
@Paypal FIX THAT! 20 chars maximum are not valid for 2013.
Please :).
This didn't work for me, so I found a different way: go to the screen with the "change password" link on it. Disable Javascript (the chrome "quick javascript switcher" helps for this). Click the "change password" link. Laugh evilly at the "please enable javascript" complaint. Copy/Paste at will.
It works, it's just the fields are now "password" and "retypepassword". Thanks for this!
Couldn't disable Javascript in Firefox without having to restart the browser (or so I read), but this worked great -
ebay
document.getElementById("password").value = "12345678901234567890";
document.getElementById("retypepassword").value = "12345678901234567890";
paypal
document.getElementById("new_password").value = "12345678901234567890";
document.getElementById("retype_password").value = "12345678901234567890";
Paypal's limit was 20 characters, I don't remember ebay's.
Alternatively, just restore the ability to paste with a userscript (install).
If anyone knows the affected PayPal URLs, let me know and I'll add them.
A URL for Paypal is:
@mykmelez: Thanks, added.
userscript does not work, even with the updated include lines, and after removing paypal from the blacklist
I found a video of eBay's password reset user testing. He seemed to like it. http://youtu.be/oNrWgjh9tnU
Thanks for this.
Skype also limits passwords to 20 characters but doesn't tell you. I found out by being unable to log in.
I don't understand why any company limits the length of passwords. They store cryptographic hashes, not the actual passwords, which always have a fixed length regardless of the length of the original password, so why do they care? Having a minimum, I understand, but not a maximum.
Thank you very much. eBay had this same insane nonsense, preventing me from using a secure 64-character password I could store in KeePass. Your method saved the day.
Thank you all so much for clarifying. I can confirm that as of 18/01/2015 bburns' code:
document.getElementById("password").value = "12345678901234567890";
document.getElementById("retypepassword").value = "12345678901234567890";
still works for ebay; I did not test the paypal code.
the ids are now pwdID and retype_password
Well, I think it's stupid to limit the password to 20 chars only.
I mean I use venerable pwgen tool usually like:
pwgen -ync 40
That gives me a 40 character long password containings small/capital letters, numbers and symbols.
Anyway, I was able to enter my generated password like this:
In chromium press ctrl-shift-j,
then go to the Elements tab
then navigate through the html to find the password fields
right-click the <input type="text"....> entries and selected "Edit Attributes"
added value="123456"
(doing it for both new password fields)
and submitted the form.
Update PayPal passwords useing KeePass Auto-Type function.
Just create a new KeePass entry with the following Auto-Type sequence:
{USERNAME}{TAB}{PASSWORD}{TAB}{PASSWORD}{ENTER}
{USERNAME} is your old PayPal password
{PASSWORD} is your new PayPal password
That's it. Works until it doesn't.
Apparently PayPal isn't too happy when one calls them and complains about this retarded "security" feature. I believe the fact that I was reading this while on hold didn't help much because they now think I'm intending to "hack the PayPal website if that's even possible"(the consultant's words, not mine). Ah well, I should probably make that payment before I get suspended.
$("#new_password").val("yournewpassword");
$("#retype_password").val("yournewpassword");
from console works
Update: Same old security theatre, shiny new selector
document.getElementById("pwdID").value = "password";
document.getElementById("retype_password").value = "password";
Must be 8-20 characters.
Here we go again:
document.getElementById("password").value = "password";
document.getElementById("retypepassword").value = "password";
Values are pwdID and retype_password.
And we entrust them to our credit cards? lol
Thanks for the Gist
IDs have changed again. They now are newPassword and confirmNewPassword
I had to tryhard a few document.getElementsByTagName("input")[16].id; to find out. |_|
Thanks for updated IDs!
this should work with all the ids:
var pw = "password";
if (pw.length < 8) { alert("Password too short!\nMin 8 chars!"); return; }
else if (pw.length > 20 { alert("Password too long!\nMax 20 chars!"); return; }
var ids = ["pwdID", "retype_password", "newPassword", "confirmNewPassword", "password", "retypepassword"];
var arrayLength = ids.length;
for (var i = 0; i < arrayLength; i++) {
document.getElementById(ids[i]).value = pw;
}
document.getElementById("change_password").removeAttribute("disabled")
//document.getElementsByName("validatePwdForm")[0].submit();
Another way round this is to disable javascript